What you can do is, Create different groups as per you differentiate the clients.
Now, For this group where you have the clients that are not yet in the domain but will probably join the domain later. Set the policy to be "Client Control" mode. It's effectively what you want.
Export a package for this group and deploy it on these workstations.
Change the settings back to Server control.
Now, When the clients start checking back in again, They would be put into the Server Control mode with the new policies that you have set.
For the clients that will not join the domain, You can convert them to Self Managed by replacing the Sylink.Xml as they fulfil the criterion of being in client control mode.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021910355348