Thanks people. The comments posted thus far are things I've already considered. My feeling is that i'll allow the filetypes internally, but block them them externally (e.g. block them from the Internet). But is this itself also a vulnerability? Does the browser ActiveX plugin itself have vulnerabilities that can be exploited even if shockwave files themselves are blocked?

Cheers again,

alan mott