This is configurable, but yes. The DHCP enforcer can quarantine endpoints that don't have SNAC installed:
http://www.symantec.com/docs/HOWTO81798
http://www.symantec.com/docs/HOWTO81798
This of course means that clients without SNAC will never get network access because they cannot pass the HI check. If you have a requirement to allow guest machines access to the network, then you'd have to introduce the Gateway Enforcer, which can provide a temporary SNAC client:
http://www.symantec.com/docs/HOWTO81738
This temp SNAC client can then perform the HI checks, allowing the DHCP enforcer to assign the guest machine a production address and mask, if the client passes.