>Is “browsing down” even possible under those circumstances?
Seems like it could be done by having a mobile workstation that doesn't read email or browse the web, just acts as a secure 'satellite' administration device that does little more than VPN back into the administrative network. From there, you jump off to a terminal server if you need to browse or email.
The termination of that admin VPN would probably need to be a distinct endpoint from the general VPN access concentration, and have additional security/authentication measures in place.
Seems like it could be done by having a mobile workstation that doesn't read email or browse the web, just acts as a secure 'satellite' administration device that does little more than VPN back into the administrative network. From there, you jump off to a terminal server if you need to browse or email.
The termination of that admin VPN would probably need to be a distinct endpoint from the general VPN access concentration, and have additional security/authentication measures in place.