do you implement any controls on windows server, especially those which house sensitive and security related info (i.e. domain controllers), to prevent users from accessing the internet from a web browser installed on the servers. And if so how do you achieve this? I understand the risks but you would hope administrators are sensible enough not to do this kind of activity, but I presume implementing a control rather than trusting admins would be better.
likewise even on workstations - do you implement controls to check if a local admin on that machine - restrict internet access. and how do you achieve this?