Hi,
NAP lets you restrict access if a computer doesn't meet requirements for health.
IPsec is one method used to restrict access.
There are several possible ways to restrict access to/from a computer. For example, you can change the computer's routing table, block IP traffic to/from the computer, place it on a different VLAN, etc. Keep in mind that these are not ways to *refuse* access, they are ways to *restrict* access.
With IPsec, the method used is to block traffic to and from the computer. You do this by creating rules (policies). When a computer doesn't match NAP requirements, the "restrict access" policy takes effect.
IPsec decides which computers should be restricted or not restricted based on which ones have a certificate. NAP provides a certificate to healthy computers, and removes it from unhealthy ones.
I hope this helps,
-Greg