IPsec and 'Server and Domain Isolation (windows)'

You can mitigate some of the risks associated with unauthorized and potentially unfriendly access to your network and its resources by creating an isolated network... To isolate the authorized and managed computers from the other computers on your network, you can create an isolated network; a set of network nodes whose grouping is independent of the physical network topology. [1-] You can create an isolated network based on the Physical layer of the Open Systems Interconnection (OSI) model, in which you run a separate cabling system for the isolated network... [2-] You can also create an isolated network based on the Data Link layer of the OSI model, in which you use Layer 2 switches and virtual LAN (VLAN) technology to create logical network segments by grouping computers regardless of their physical connection to a set of switches. With VLAN technology, you can also create an isolated network based on the Network layer of the OSI model, in which you create logical subnets and define the routing between the subnets. [3-] With the Microsoft® Windows® operating systems, you can logically isolate your domain and server resources to limit access to authenticated and authorized computers. Windows-based network isolation occurs at the Network layer of the OSI model [He means based on IPsec, not a new invention as you may feel from the text!]... (Server and Domain Isolation main page Microsoft)

These links are enough, no need to my explanation:
+ Improving Security with Domain Isolation: Microsoft IT implements IP Security (IPsec)
+ James Morey blog IPsec and Domain Isolation; Related posts: 1, 2, 3
+ IPsec in wikipedia
+ An Illustrated Guide to IPsec
+ OpenBSD: IPsec man page see also isakmpd(8)
+ NetBSD: IPsec man page see also racoon(8)