Sean Donelan wrote: <snip>
Since many Microsoft patches are only legally available via the Internet, and an ISP can not predict which servers Microsoft will use to distribute Microsoft patches, ISPs must enable essentially full Internet access which includes access for most worms.
<snip> May I recommend developing an in house method for allowing the customer only access to your servers (web, dns, proxy, etc), and then apply filters for everything else except for tcp/80. If you wanted to be additionally paranoid, you could even allow only established tcp/80 connections back to the customer. Once updated, customer could establish contact to have filters removed, or an automated web process you be created. It's a ton of work, and there are any number of ways to do it. A lot depends on your network. It can be done, though. Jack