I've been through a couple of these tests as well. Seen them use every trick imaginable.
To say the least... they are amazing and almost always find ways in.

They probed every aspect of Security pertaining to a military Command Center: Physical Security, Network Security, Telephone systems, and most specifically, how/if end users followed security policies. The various teams conducting the test took days. Found out they even had several people in plain clothes hang out at local resteraunts during lunch hour to see who came in and if they still had their ID/Security badges on in public. They would also eavesdrop on their conversations to see if people were talking about work related (and/or sensitive) issues outside of the facility. All of this ties into Information Assurance training programs.

Also a consideration, limit their availability to your network. If you can, enable some sort of Port Security. A lot of times they will walk around, or if assigned to a specific area, will look for a way to jack into the network and run scans. If the port doesn't work, or is locked down in some fashion, you will have earned bonus points on your review.

You mentioned you have networks that don't have access to the net. In case you are referring to a Niper and Sipernet-like configuration (where you have an unclassified network which has access to the net and a Secret or above network which doesn't) you will most likely have users that have individual accounts on each of those networks. Of course the Information Assurance trainings tell you not to use the same passwords on various networks, but you still get people that do out of laziness..... or in some cases, the upper brass don't always feel those rules apply to them. Regardless, compare passwords from the various networks to see if users have used the same password. If your pen testing team cracks the SAM on an unclass system, I guaranty they will throw those same usernames and passwords against the classified systems. It worked on one case. At that time, one of our own admins (who was the least likely to do this) has the same password on his Niprnet and Siprnet accounts. The pen testing team was able to comprimise a machine on the Niprnet and eventually get access to the SAM on one of the DC's.
Sure enough, they took the username/passwords and ran a dictionary attack on a SIPRNET machine and got in..... WITH AN ADMIN account.... DOOOH!

Anyway.... good luck... these tests are nerve racking!