The user has rights to access the data on a machine provided to them by us.
They cannot attach a USB drive, burn a CD, or FTP/email out information
without it being flagged/stopped.
So I was asked "What if Joe User brings in his home laptop?"
If a user does, and copies the IP settings from their corporate desktop,
then plugs in their laptop into the same wire and attempts to access a
Windows file share, they are prompted for a username and password. Since they
are a user with valid credentials, they can access the data and
hypothetically copy it and remove it from the building without us knowing.
How can I block a valid user from accessing a file share on a non-AD domain added machine?