MidNyte: I have about 650 users that _could_ access internal work stuff from home.

For Email I set up and exchange server and allow them access through Outlook Web Access, (OWA)..... That way I don't have to worry so much about their machines being compromised. They don't have access to the internal system from outside anyway. It runs on SSL so it is encrypted too.

For those people who have VPN access our policy is that they must purchase a hardware firewall, (linksys or whatever), if they are on high-speed connections and bring it to me for configuration. The bringing it to me for configuration bit is to force them to go and buy the damn thing not try to lie to me that they did...... While I "configure it for them" I sell the benefits to them personally in the hope that they do not simply return it afterwards. The big part though s the fact that by accepting the VPN access they are authorizing me to make random scans of their machine to ensure that the firewall is there and has not been tampered with. Do I actually do them.... rarely.... It's a time issue, but it helps to force them to put it in place. Then, the VPN allows most of them access to only a terminal services server that has profiles on for them. In that way an infected machine is less likely to detrimentally affect other machines on the network through the VPN. Finally, everything that comes through the VPN is logged and an IDS looks for VPN traffic attemting to go to machines other than the terminal services server. The few dial-up users are encouraged to get zonealarm but we do not make such a big deal and they suffer the speed problems a VPN/term server/dial-up connection deals them and are encouraged to go high speed with a hardware firewall.

Finally, and the thing that will probably steer your company in the right direction is the legal ramifications of allowing everyone in the company access to their work from home. There have been several instances where, (to the companies involved), it seemed to be a good idea to let employees do some additional work from home if they want. However, there have been several cases in the courts where non-exempt, (hourly), employees have got pissy with the company, quit and then billed the company for x thousand hours of uncompensated labor. In each case I believe the company has lost and it has cost them very large sums of money. Consequently, my organization allows only:-

1. Exempt employees authorized by their administrator
2. Employees who, by the nature of their job, work from their homes.

In order to become one of the priviledge members of the second group there theyare required to sign a document stating that they are paid 40 hours per week regardless of the time it takes them to complete their tasks in exchange for the priviledge of being able to work from home and set their own hours - kind of an hourly exempt worker.

Hope this helps....