2) Temporarily switch to server-side targeting on the WSUS console and have the isolated servers connect to the WSUS server. Manually put them in the appropriate groups.
In general, those who have tried to change group memberships using this methodology have met with issues, but that may well be because the clients were enabled for client-side targeting.
Effectively, when Client-Side Targeting is set, the WUA is authoritative for the group memberships of the client, and will not query the WSUS server for group assignments. It expressly queries for only those groups assigned. One of the side effects of setting Options->Computers to "Use Group Policy..." is that it disables the ability to assign computers to groups using the console; however, it may also be that this also disables the ability of the WSUS server to respond to a WUA query for the client's assigned group(s). I have never tested the behavior at this level of detail, so you'd have to test this to see what actually happens. Also note, though, it would be (from Microsoft's perspective) an "unsupported" configuration.
However, a much more reliable way to achieve this objective, and it would be fully supported, is to simply deploy a replica server for those systems which need to use server-side targeting. The Options->Computers setting is a PER-WSUS-SERVER setting, and does not have to be the same on downstream servers as it is on upstream servers.
This would also give you the added protection of a console (the replica server) where ONLY the machines that should be server-side managed can be. With ALL of your clients in a single console, you'll always run the risk that somebody puts a client-side managed system in the wrong group, and that will definitely complicate things. There's also the risk that somebody forgets to switch Options->Computers back, and that can also complicate things. In effect, the additional server completely eliminates all of the risks that will naturally associate with the idea of flipping an option to end-run the non-existent policy settings. :-)
Enable Reporting Rollup on the upstream server and you can still do enterprise-wide monitoring and reporting from the upstream server.
That is what I feared... Thanks for your helpful suggestions.
I'll see if management is willing to dedicate another server for this purpose.