The simplest/obvious solution is to use firewall rules on the router to exclude computers based on IP and/or MAC address. However, beware that it's trivial to circumvent these restrictions by either manually reconfiguring TCP/IP or MAC spoofing. So it's only going to prevent casual users. Anyone w/ determination and the able to search Google can easily defeat it.
The proper way to solve this problem is to establish a second network in which only the resources to which they have authorization are present. Instead, you’re doing just the opposite; giving them “the keys to kingdom” then hoping to control their behavior through “house rules”. That’s just asking for trouble (imo). Bad boys will be bad boys, trust me.
A better approach is to isolate them on their own network and only add the resources they absolutely need. For example, install a second network adapter (wire or wireless, whichever is more practical) on the database machine and connect it to another wireless router. As long as the existing and new network adapters remain UNBRIDGED, they have no access to your internal network, at all. IOW, they’re limited through ARCHITECTURE.
Anyway, that’s what *I* would do.