Mac addresses won't do you any good once you hit the first router.
The primary thing that routers do, (once they have decided to
to handle your packet) is to strip off the mac header, and
regenerate this based its own, and the next hop router.
If you're concerned about a single IP segment in your company, and whether
or not someone is obtaining privileges they are not entitled to, you might
see whether or not your brand of router will issue an SNMP trap based on
a change of mac address in its ARP cache.
I can't speak for other manufacturers, but our (3Com) routers will allow
you to forcibly configure a static IP/mac address pair. Once this is
configured to a particular static mac address, any other devices that
pretend to that IP address get nowhere.
It's likely that other routers have similar capability as well.
I would advise against this however, unless you are aiming at protecting
a very limited range of IP addresses from being spoofed internally. Then,
if the device gets a new NIC, you'll have to change the static address.
Then you need to make sure that this configuration is VERY well documented
and known, or you may be asking for a real troubleshooting headache.