If you have a router in the middle, you're working across broadcast domains. ARP/Layer-2 communication is done explicitly between mac-addresses.
What happens in typical situation:
PC 1 (ip X.X.X.X, mac XX:XX:XX:XX:XX:XX) wants to connect to PC 2 (ip Y.Y.Y.Y, mac YY:YY:YY:YY:YY:YY)
PC 1 notices that IP Y.Y.Y.Y is not "locally route-able" so it sends the packet to the router (ip Z.Z.Z.Z, mac ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
At this point, the packet leaving PC1 looks like this
src ip = X.X.X.X src mac = XX:XX:XX:XX:XX:XX, dst ip = Y.Y.Y.Y, dst mac = ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
the switch "switches" the packet to the router (because it already knows what port ZZ:ZZ:ZZ:ZZ:ZZ:ZZ is plugged into) the router knows that the IP Y.Y.Y.Y is on it's other interface, and routes the packet to PC2 accordingly.
at this point, the packet leaving the router looks like this:
src ip = X.X.X.X src mac = ZZ:ZZ:ZZ:ZZ:ZZ:ZZ, dst ip = Y.Y.Y.Y, dst mac = YY:YY:YY:YY:YY:YY
PC2 accepts packets on it's mac address... and also notes that the IP is destined for itself... and then does whatever with the packet.
At no point in time did PC1 know the mac address. There is no direct way to know the mac address of devices that aren't in the same broadcast domain... because the "physical address" (or mac) is only used to talk locally to locally connected devices.
http://en.wikipedia.org/wiki/Multicast_address#Ethernet
Ethernet frames with a value of 1 in the least-significant bit of the first octet of the destination address are treated as multicast frames and are flooded to all points on the network.
That basically equates to any address where the second hex digit is 1, 3, 5, 7, 9, B, D, or F.
When you say other limited broadcast, I assume what you mean to say is multicast. Multicast and broadcast Ethernet addresses are not determined by asking the network via ARP for the hardware address that corresponds to the IP address. Rather, it is defined by any appropriately implemented IP stack. Microsoft offers a good document for understanding multicast Ethernet to IP mappings.
Ultimately, though, any L2 address that isn't known by a switch or bridge will flood that L2 segment. Things will only leave the segment if they are interpreted above L2. A network card will only pass packets to the OS where the packet matches its own address or where that second hex digit is one of the ones listed above.
Best Answer
I'm not sure you can do what you're asking for. What message could you send to all hosts at FF:FF:FF:FF:FF:FF that would compel them to reply to you? ARPs get sent to the broadcast address, but only the correct host responds.
I'd use a combination of pinging the broadcast (192.168.0.255 and 255.255.255.255), the MAC address table on the switch, and a Wireshark tap on the gateway's interface to gather practically all of them.
There's no L2 message I know of that will require a response from all L2 hosts regardless of L3 config.