It depends what you intend to achieve
If goal is to prevent unknown machine to get valid IP address and therefore access your LAN, then you could provide DHCP lease only to known MAC addresses but:
- this can be painful if you have a lot of machines
- this doesn't bring security as faking MAC address is quite easy
- machine can still connect without using DHCP
Another approach could have been to implement authenticated DHCP but Zentyal doesn't provide this feature.
If goal is to prevent unauthorized account to access internet (i.e. browse), then you could just enable HTTP proxy authentication