The situation you describe is very common - especially in environments where users share wireless laptops. Using WZC with the 'use my windows credentials to log into the wireless network' creates the chicken-and-egg problem.
Some supplicants support 'pre-login authentication', that will basically run a script before windows trys to authenticate to the domain that will use your entered credentials to log into the wireless network before domain authentication (broadcom and intel proset are two that I know of).
There is a new feature in windows XP SP3 that can be used with Server 2008 (Server 2003 can be extended to support it) to do pre-login authentication natively.
But your right, in environments where users may share a machine - it is more logical to implement EAP-TLS with machine authentication (computer certificates).