Does anyone use HIP check on the local LAN as a NAC solution?

• How effective is this as a NAC solution for the internal LAN? 

Depneding on how you setup your HIP check it could make a pretty effective 'NAC' enviroment. You could HIP check to make sure that they were within your networks requipments (av current and ran in a timely manner, domain joined), and then setup security policies that wouldn't allow anybody to your different security policies unless they had a named user account.

• Without 802.1x authentication, does a machine without GP installed simply bypass the internal gateway (and HIP check)?

You could potentially deny any non-named user access to anything within your network, or outside internet access with ease as long as you setup your security zones with this in mind. Otherwise you could just make it so that your servers/internal resources were in a dedicated 'zone' that the user would not have access to unless they had logged into GlobalProtect and recieved a GP address that had security policies that allowed zone access.

This can, and has been, done. It works well as long as you are aware that, like any NAC solution, you will likely run into occasional issues. It doesn't act as a true 'NAC' as you don't have all of the checks that a traditional NAC would employ to verify that the device was supposed to be on your network. That being said most people don't utilize any of the features in a NAC deployment that couldn't be done with a HIP check and the proper security policies on the firewall. I wouldn't really want to make this change in a working enterprise enviroment though, as switching over to something like this would be a fairly substantial upgrade; NAC has the advantage of being something that you can easily tune and assure management that it's working prior to a full roll-out.