I am currently assisting a client, who is basically starting from ground zero for both hardware and operating system, evaluate several proposals and suggestions made by other industry (banking) peers. My client is subject to extremely detailed IT annual audits as outlined by the Federal Financial Institutions Examination Council (FFIEC). Not only does my client desire to meet the requirements of the FFIEC accepted standards, but go well above and beyond as much as possible.
Most of the system architecture has been tentatively decided...with the exception of providing internet access to user workstations. The client does not want any physical data path, other than keyboard input and screen image, from the internet connected machine to any workstation, thereby eliminating the typical inline AV, firewall, etc. approach. The thinking is that when a user needs internet access, via IE, they will make a connection to a central machine/device in a keyboard input and screen image only form, thereby isolating the "exposed" machine/session. Ideally the thought was to have a very basic standard machine install/profile that was reset when the user closed the connection or it timed out. My experience with Terminal Server or VMWare, which seem like possible solutions, is limited and is why I am soliciting input from those of you that may have designed a similar solution or can offer negatives not recognized with this approach. I should add that the number of concurrent internet users is not expected to exceeed 5-10 at any one time, and dedicating a workstation/server just for this function is totally acceptable.
While this approach may not be the most direct, it is my clients opinion, which I have to agree with given their goals, that totally removing "exposure pathways" or at the very least, seriously restricting them, will payoff with much smoother and cleaner IT Audits/Reviews. The FFIEC is understandably concerned primarily with preventing unauthorized access to non-public account information.