From a business point of view I agree with this guy, but we know the admins are often slackers and they are the cause of most security failures. It never hurts to be extra safe in my rule book, but what are your thoughts on this matter?

"I’d rather have security baked right into my network design than scattered willy-nilly around my desktops and servers. For example, there’s much to be said for separating your machine room from your desktop computers with a robust firewall, through which all client/server traffic is routed. You’d then have a boundary router (more likely several) in place to protect the desktops from the outside world, and perhaps even firewalls between various sections of your business’ desktop population. Think of these as layers of an onion, where you can also divide each layer to separate out similar sections into their own managed spaces." | more