With v5.2 we've done this a few ways... Only one is leveraging MAC addresses though...
Option 1 - (if machine is permanently blocked from internet)
> Open DHCP monitor > right-click DHCP lease > create/edit IP Reservation > set action "Block"
Option 2 - (if you want all users to authenticate - I use this option since we have many users using the same computer so I can't block a certain machines MAC. Put policies above this policy for internal traffic "ie: intranet sites, services, etc..")
> Create policy: Internal > Src=DHCP scope/all computers > User Group or User > Internet > All > ALWAYS > All
I believe on v5.0 you can find the same settings stated in Option 1 under "System>Network>Interfaces" and look for your internal network handing out DHCP leases (if done locally with Fortigate). Click the "Advanced.." hyperlink and add MAC addresses with appropriate action. Hope some of this helps.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.