http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

Isolating Network Resources to Better Protect Against Rogue Machines, Infections and Information Theft

·         How does one restrict sensitive traffic to specific machines within the network?

·         What happens if a new virus or worm reaches your network and your desktops become infected?

By utilizing capability built into Windows XP and Windows Server, you can easily implement a logical isolation strategy. This strategy can help to better protect your domains, servers and desktops, from these threats.

The Microsoft Solutions for Security (MSS) team has released the Server and Domain Isolation Using IPsec and Group Policy. This is Microsoft's first guidance for the selection of appropriate IPsec components and the first thoroughly documented prescription of how to implement. 

This solution demonstrates how IPsec transport mode can be leveraged as one of the best means currently available to protect corporate networks. This protection can minimize losses due to information theft, compromise of credentials, and administrative costs. This solution also clearly contrasts IPsec transport mode from the more widely known IPsec tunnel mode, one of the prevalent VPN technologies today.

The Server and Domain Isolation Using IPsec and Group Policy is available on TechNet at:
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx