It's pretty hard to setup a DHCP server that will feed two different IP address ranges on the same network, but you don't really need to.
If the old Token Ring hosts can be on the same subnet as your regular network, you could:
1) Create a 'Host' entry for each converted token-ring system by MAC address on your SME server, assigning IPs in a continuous range
2) Use
http://wiki.contribs.org/Firewall#Block_outgoing_ports to block all out-bound traffic from the range of hosts you want blocked
3) Use
config setprop squid DenyHosts to block access to Squid from the blocked hosts (I'm unsure whether this does what we want or not - this step needs testing!)
You could also put all of your old Token Ring systems on a network behind a cheap Linksys router - then just block the "WAN" IP of the Linksys from your SME, or just deny all out-bound traffic from the Linksys LAN to the SME server. This configuration allows the token ring systems to "see" anything on the LAN
except the SME server; since they can't see the SME server, they can't get to the Internet.
Internet
|
SME_Server
|
|-----existing LAN
|
CheapLinksys
|
+-----Old_Token_Ring_Systems