The difference being campus machines are null routed rather than disconnected, and they are not reconnected until checked and clean.
And once again, the question: how do you know the machines have been checked and cleaned before they are reconnected? Do you take the customers word, or do you perform some other check yourself?
Network security is high priority here and it doesn't matter what machine is compromised, they are all disconnected in one way or another, and yet we still have to nuke machines occasionally because of suspicious (DDoS/scanning etc) traffic.
Seems like a re-active policy. Why don't you check the computers before they start exhibiting suspicious behavior, such as when they are first connected to the network? Waiting until after the computer is compromised is too late. Some companies require all new computers to pass a network scan (e.g. ISS, Nessus, Retina, etc) before getting assigned a routable address. Should commercial service providers have the same policy when new customers connect to the network? Or is it considered a bad thing to warn customers about vulnerabilities in their computers in advance. Instead waiting until after your receive a complaint about something exploiting those vulnerabilities before taking action?