How do you determine:
a) whether that IP address belongs to an organisation that only supplies hosting rather than access to any significant (more than just employees) number of human beans? Is there anything that can be done other than checking out their website? Do you need a certain traffic level before you can be confident that if they provided legitimate access you would be seeing it in your logs/analytics?
You've multiple questions here, however you have them out of order (i.e., the "b)" section of your inquiry is the first order of business:
1) "backbone" (i.e., server farm, reseller, colocation, or what you may chose to call them. Generally speaking there is NOT any benefit in potential visitor traffic from other websites or visitors that are using this type of IP/hosting.
2) the backbone is in the business of selling their services and generally will NOT deceive the public in presenting their service products.
3) Most of these types of pests, will use a bare-bones initial visit to test the waters. If your able to recognize them in these test-the-waters visit, that's enough in most instances. Others, will simply appear and grab every page on your site (s), although the latter has become less and less in recent years (see this thread
b) the entire range containing that IP? Is this just based on what hits your site or can it be looked up? I've tried a few searches for tools in this area but I don't really know how to phrase the search.
There are three major registrars for the entire world (ARIN, RIPE, and APNIC (there are a few smaller ones as well), ALL of which offer a "whois search".
Enter the IP from your logs and the entire range (including any registered sub-nets will be provided in the results.
There are other websites and/or tools which use the data from these orgs and/or provide queries to these same org websites, however why deviate when the source is available.
c) whether the organisation has any other IP ranges that you might want to block? Clearly cannot be done from logs/analytics before showing up in said logs/analytics.
I recently provided an example of doing a name search at the registrar's (i.e, ARIN) in this thread
[webmasterworld.com]. (see "PPPoX Pool")
Summary. . .In the end, each webmaster must decide what is beneficial or detrimental to their own website (s).
There's NO rule of thumb. A visitor (IP range or otherwise) that I chose to deny, may be a visitor that another webmaster desires.
Most folks today are using "white listing" (denying MOST all visitors and allowing specific User Agents or IP Ranges), rather than "black listing" (denying specific User Agents or IP Ranges).
The problem with presenting usable examples in these open and readable forums is that the pesty-bots and harvesters may also read the criteria for access and then modify their forthcoming User Agents. As a result, most longtimers here are very reluctanct to add examples of "white listing".