This is a classic problem with DHCP, it makes things easier for the
administrator but gives anyone with a laptop access to your network. The MAC
address restriction is the only native method of restricting DHCP address
allocation but it really isn't manageable in a large network.
Look at the problem from a different perspective, why do you not want
visitors to have an IP address? Are you afraid they might access
confidential information or leave viruses on the network? These risks should
be mitigated by ACL's and virus software respectively, not just by denying
LAN access.
My point is that denying visitors an IP address is not in itself a security
mechanism, you have firewalls and suchlike to do that so if your regular
security is set up correctly you would in theory not need to worry about
visitors getting an IP. Remember also that most security attacks come from
employees anyway.
So how does any of this help you? Well, you should start off by thinking
whether or not you really need to restrict IP assignment or if your security
couldn't best be handled at a different layer. If you decide you do need to,
your only options are a very unmanageable MAC filter or perhaps a 3rd party
product.