Since many Microsoft patches are only legally available via the Internet, and an ISP can not predict which servers Microsoft will use to distribute Microsoft patches, ISPs must enable essentially full Internet access which includes access for most worms.
Has anybody tried a firewalling solution in which unpatched PCs are only able to access a special ISP-operated forwarding nameserver which is configured to only reply with A records for a list of known Microsoft update sites? And then have this specially patched nameserver also trigger the firewall to open up access to the addresses that it returns in A records? According to Microsoft, their list of "trusted sites" for MS Update is *.update.microsoft.com and download.windowsupdate.com. Even if they have some sort of CDN (Content Delivery Network) with varying IP addresses based on topology or load, this is still predictable enough for a software solution to provide a temporary walled garden. You don't need to make copies of their patch files. You don't need MS to provide an out-of-band list of safe IP addresses. As long as you are able to divert a subscriber's traffic through a special firewalled garden, an ISP can implement this with no special support from MS. Wrap this up with a GUI for your support-desk people to enable/disable the traffic diversion and you have a low-cost solution. You can even leverage the same technology to deal with botnet infestations although you would probably want a separate firewalled garden that allows access to a wider range of sites known to be safe, i.e. Google, Yahoo, ISP's own pages, etc. --Michael Dillon