The tone of your post suggests an unfair assessment of me that I am trying to game the system or that I don\'t understand why we keep unpatched computers off of a network.
I want to be transparent to our IT staff. It doesn\'t serve my needs to have them lock down what I can do.
These two statements are at odds with each other. It's not so much an 'unfair' assessment (or judgment, as you may think it to be), so much as one borne out of experience. To answer Wanderer's question, "Where did the rest of that come from?", it's because I've been there before, trying to mediate between users that 'just want to do their stuff' and IT departments that are inflexible when it comes to bending their policies... It's not a judgement. I totally understand where you're coming from. It's like speeding. You're on a nice, open, highway. You have a safe car, and you're a safe driver... There's nothing 'wrong' with it, but if the police catch you, you get a ticket. It's not like you're blasting down a crowded city street or anything, so it seems totally unfair. And it IS...yet it isn't.
An example I just read about was a marketing dept. that grew tired of waiting for IT and other depts. to come together and develop a website, so they went out and did it on their own. When it was found and tested, within 10 minutes the testers had admin access to some of the network's core servers from the Internet, and could have brought them down at will.
You mentioned that 'unpatched' PCs can't be on the network, so my understanding was THAT was stopping you from connecting them to the work network, not that you just didn't do it.
I'm on your side here. The solution I mentioned would do exactly what you mentioned, although you wouldn't be transparent to the IT staff, your activities should be limited enough to make them happy. You mention a 'router level block', so only PCs on the same router can talk to each other. That's what a VLAN would accomplish. A software block, like IP addresses and subnetting can be circumvented. A VLAN is a virtual network, so if you say that ports 1,2,6 & 8 are on a VLAN, and the remaining ports are on another, the two groups can't see each other. With some clever manipulation of tagging and subnetting, you can have it so that certain computers are on the network and can see your lab PCs, but the lab PCs can't access the network (and vice versa).
I'm also assuming you don't have control of your local network devices. If the network is that locked down, plugging ANYTHING in that isn't properly configured and authorized won't get connection at all. With a little more knowledge of what you have access to, and how the PCs are physically connected to them, we might be able to help further. Take MAC filtering. You can configure your router so a MAC address can't get out on the network, but can you configure it so the network can't discover that device's presence on the router?
It may not be on their priority list (and I know how lethargic some IT depts. can be) but I can't see why it wouldn't be in their best interest to help you. To them, you're one of the most dangerous types of users out there. You've got a focus, and access to technical expertise, and nothing but good intentions. You'll eventually find some way to crack it. I'd rather KNOW how you're bending my rules (after helping you bend them in a controlled manner) as opposed to leaving you to your own devices...