Yes it is.
And even better, you can make network objects with the IP's of your clients together with the MAC address.
You should delete from the firewall "Filtering rules from internal networks to Zentyal" and "Filtering rules for internal networks" the rules "any-any".
Or else set the any-any rule as the last rule and set the policy to "deny".
Proceed with adding your users to the list by adding new rules. Choose the network objects you created previously.
The advantage of this setup is that nobody can spoof his MAC address to gain access, because he/se has to know the correct IP. Only clients with IP xxx AND corresponding MAC xxx will be allowed access.
Even then, two identical MAC's or IP's will cause trouble on the network so it should be hard enough for regular users to cheat.
If you are using transparent proxy, keep in mind that you have to set that up also.
If you are using none-transparent proxy you can enable authentication (password prompt) for http traffic.
Cheers.