Couldn't you just run these clients as SecureNAT clients with a static IP (and restrict destination based on IP)? Are you wanting to restrict sites these non domain computers access?