Thanks for bringing this up bro. I've been researching on techniques to check client health all year long. From an admin stand point, having the ability to check for client health before granting network access is extremely important; and espcially as we are experiencing the sky rocketing rate of mobile clients (laptop, smartphones, etc) on our network. We've been trying couple of solutions from Cisco
1. Cisco CSA
(Cisco Security Agent) and CTA
(Cisco Trust Agent). Basically, these are applications that reside on XP clients; as clients boot up, CSA will check with Cisco "server" (there's another app stay on a server as well) to determine if the client is "healthy" or not. If yes, green light; if not the access is quarantined (client will be redirect to a specified VLAN, where it can access the patch (MS,NAV) servers only. You can read more on their pages to find out in details of how they work. Cisco starts its partnership with MS on NAP, and it makes CSA better. MS NAP alone works fine; the advantage of Cisco CSA over NAP alone is the ability to move client to a quarantined VLAN.
: Enterasys have their own signature files to check on client health and they can customize the policy down to the port (data jack) level. No client software needed, e verything is done at the switch. For a small and midium networks, Enterasys would be the best. As the network get bigger with policies enforced at the port level, it will bring down the switch in no time.
In conclusion, everything does the job but has its own trade off. If we can have both and combine them, it would be the best.