I recommend basing Vision client identity on the MAC ID of the network adapter that is used to communicate with the gateway. Works even if your IT group screws with the IP addresses. In some environments (Linux, easily), you could also use motherboard serial numbers.
See this topic for MAC ID retrieval:
You can then look up in a database (or just a list of constants) in a client startup event to drive your machine-specific permissions. (I recommend Vision Client tags to hold the resulting decision.)