The only remote access to my LAN is via CISCO VPN. Group policy that all lusers are in requires an active firewall and antivirus prior to connecting. If the kiddies have disabled the antivirus, the VPN connection will terminate at the gateway. Also, I do not allow split tunneling so once a tunnel is initiated, all internet traffic goes through my gateway. At this point IDS, Web filtering and stateful packet filtering takes place.

Doen't matter how or where they connect, If they don't follow the policy they can't log on. Also when I first set the VPN restrictions I had to kind of lie. Said that the firewall and antivirus requirements were part of the latest IOS and couldn't be disabled.

Just a tip to get past teh managers that think they know how stuff works.