This editorial was originally published on Nov 7, 2006. It is being re-run as Steve is at SQL in the City today.
I read a novel some time back about the CIA. Well, not exactly about the CIA, but it was a spy novel and the CIA was in it. One thing in there that caught me eye, and probably the only thing since I can't remember which book it was, was the use of a secondary computers by one of the analysts.
In this situation, the analyst had a computer that was connected to the internal network, but not anything outside. Instead there was a second machine that could connect to the Internet and allow research, checking on things outside the internal network, etc. There wasn't an easy way to transfer information between the computer (other than typing it in), so it provided some aspect of security.
That same type of architecture may be the answer to IT control of user's browsing. Imagine if a virtual computer were installed on everyone's machine. With the high power we have and free Virtual PC, this might make sense. Have it automatically installed and connect on a different IP network than the regular machine. This virtual machine could have outside access for Hotmail, browsing, etc., while the internal machine would only allow access to corporate information.
I know there are some issues and the cut-and-paste problem could still exist. There also might be issues with trying to track browsing for regulatory and compliance purposes, but it would prevent some of the secruity issues.
Have a virus hit? Clean out and reset the virtual machine.
It would also help propgations by users who run as adminsitrator. I know you're not supposed to do this, but sometimes it's not practical. You're doing a lot of administrative work and need to check something on TechNet. With cross site scripting issues, even this might not be safe anymore.
Actually the more I think about it, this might be the solution out here at the ranch for letting the kids browse their music sites :)