short of blocking the TCP/UDP ports required for Windows browsing, there is no way to have cisco devices keep a user from connecting a PC to your network and configuring a new workgroup/domain. and this wont even stop them from doing it, this would just stop it from advertising and communicating with other workgroups/domains.
you could use 802.1x for authentication to connect a PC to a LAN switch port. this way only authenticated systems could connect to the network.