Microsoft and VeriSign have own flavor of how to protect networks from infected computers: This new architecture will be based on Microsoft's Network Access Protection (NAP) and VeriSign's Unified Authentication platforms. It's supposed to protect networks by checking that a laptop trying to connect over Wi-Fi has been issued a clean bill of health with the latest patches and virus definitions, among other factors.
But this announcement doesn't mention a press release from yesterday from the Trusted Computing Group's Trusted Network Connect specification will also work with NAP. The TNC spec allows computers that connect to a network through any medium to validated for security before being allowed access. It ties nicely into 802.1X port-based authentication. If a computer fails validation, it's segregated on a protected VLAN that only offers access to patches and updates, but can't reach the rest of the network.
So this amounts to Forced Quarantine for computer who aren't carrying their papers. What happens to systems that don't participate in the scheme? Do my PowerBook and Linux Laptop get put on a 'secure' WLAN with nothing but Microsoft patches to download? How about Win 2K?
This strategy requires that you have already patched everything to respond correctly to the port authentication & security verification process, so it's only good for a closed, homogeneous population of windows boxes.
Every smart system administrator I've ever known has run their network with routable IP addresses, no fire walls and no address translation. While this sounds insane to the average windows user it's made possible by actually understanding and implementing security recommendations.