said by slajoh01:It would reduce risk but even that wouldn't be fool proof. You'd have to apply those rules to all the computers on the network. It all boils down to the level motivation and resources of those that want to get in. (Think of stuxnet).
Well, here my rule of thumb...
I think one should set up two PCs one with sensitive data on it which would NOT connect to the outside world except within inside a corporate network. In addition, not to allow ANY kind of USB sticks, DVDs on that PC and I would disable USBStore. And use full HDD encryption.
One PC, for general use.