Microsoft have just published a number of documents about using IPsec and Group Policy to only allow access to a domain by computers that are trusted and meet certain requirements (eg. up to date virus scanners and latest hotfixes etc) The documents may be downloaded from the Microsoft IPsec page.