The reason I asked is because he said he wanted to restrict computers talking to other computers and servers on a network
. So I was looking at within the confines of the subnet. You could literally come up a thousand ways to "restrict" access. That is why I asked for clarification. If he was trying to restrict folder access on a server or particular service, Active Directory is an option, but again, I did not know what his specifications were. You can also apply Access Controls within AD. And as the title stated it was a company, then chances are it has AD in it. Which prompted my question.
However, I digress...
Ideally, to get more manageability than the N600 will require more expensive hardware/software, as some of the items above are suggested. I personally would look at a centralized approach and have Active Directory (Windows Small Business server is a great option) manage which ever resources on the server. Usernames are controlled by the server and workstations do not communicate to each other at all. However, you may not have that capability, so I suggest the options below with what you have.Wireless Devices
I actually own a N600 and what you can do are two options. The wireless router has a Guest network and an isolated 5GHz band. On the 5GHz band of the WiFi (which most new mobile devices have) is enable network isolation and it will still get an IP address from the router, but it will not be able to communicate to you computers that are hard wired. You can also set up the guest wireless feature in the N600 which will also isolate your mobile devices from touching your LAN.Workstation to Server
As far as on limiting connectivity from a workstation to a server, assuming you are running Windows 2008 you can go into the windows firewall and block a specific IP address.
LINK: https://support.gearhost.com/KB/a520/block-ip-address-with-windows-firewall-2008.aspxWorkstation to Workstation
Blocking workstation from workstation, again, you can use windows firewall.
The only caveat to this is that machines will have to have static IP addresses to block but this can be avoided if they change the IP address.
In that case, you can say only allow communication from these IP addresses and anything else you can block. Careful with this because you may block your gateway or other important services and kill internet connectivity.
You could also block based on computer name too. Also, possibly MAC address, but that may require additional software as I'm not aware of whether you can do that.Edited by wgman003 - 2/27/13 at 10:30pm