The basic version included with the Protection Suites is "Self Enforcement". This uses the SEP Firewall to restrict network access unless the client meets passes its Host Intergrity policy (i.e. all defs are up to date).
Beyond Self Enforcement, there are external enforcers which restrict network access by other means (via DHCP, Dynamic VLAN Allocation, or just blocking traffic while sitting inline). Check out the below thread for description on the other enforcers:
https://www-secure.symantec.com/connect/forums/which-enforcer-better