Personally, I would go the route of a user-derivation rule to throw the printer into a role called "printer". Then I would lock down that role (assuming you have PEF) to only allow the ports necessary for printing (just incase someone tries to get crafty and clone the mac address).
You can find info about how to create the user rule on page 707 of the 6.1 Users Guide.