The ifconfig command to change it (as root user or using sudo) is simply "ifconfig en3 lladdr 00:11:22:33:44:55" of course inserting your MAC address.
You will need to do some testing because normally the command to change the address is only valid during that boot. When you reboot the computer, it would reset the address back to the hardcoded address. However since it is in the display and it doesn't reboot like a computer, I'm not sure what would happen. It might keep the address or it might reset it when you disconnect. Is there another TB-enabled laptop you can borrow to test it to see if the address stays changed when you switch connected computers?
If not, you would have to write a script to change it every time you connect so that it would set the display's MAC address (en3) to the same as your laptop's ethernet (en0).
If it doesn't work out and there is a security risk, your IT department might want to look into locking out the TB's MAC address from the network and require you to continue connecting the ethernet to your laptop. Not ideal but IT security policies hardly ever are.
Another idea they might want to look into is to use an ethernet port lock so that someone can't use the TB's ethernet port at all.
Either way, please post back with your findings/solution as I'm very interested to know how this turns out.