My university (MIT) does similarly, turning off the drops of infected computers. Usually, it works well, but more and more students are using laptops, which are mobile, often with wireless. Any time an infected machine plugged into a new drop or used a new WAP, down it went. A single student took down several others drops by using their WAPs, and never noticed the problem because they never received mail (the WAP owners did, after their drops died). This is only going to be more of a problem as laptops become more common. Banning MAC addresses seems like a more logical solution, as student knowledgeable enough to reprogram their MAC address are also probably knowledgeable enough to protect their computer from worms and other exploits.