The solution to this *people* problem is simply : policies + training.

I don't completely disagree with you, but I'd extend it to say "Policies + training + audit".

the microsoft solution, amongst others, provides a way to do this audit. it's not perfect, there are ways around the protection, but those ways rely on the person actively trying to get around the system. they know they are doing something wrong. these document DRM systems provide a framework so that the users can easily see what what they are supposed to be able to do and it prevents them from doing what they're not supposed to be able to do.

it also logs all document requests which can be viewed later. in the OP's case, he stated that requests to open a document from overseas might be suspicious. he can audit the logs from a DRM server to see where requests to get keys come from.

dave

yes, but once its open, it's open. and people are highly likely to open the archive, and keep the document unencrypted on their laptops.

here some form of document DRM could be a quite workable solution. I've been using Microsoft RMS as work as part of a pilot and while it has a few gotcha's, and while it does sometimes seem that MS just don't "get" how people use their software, it does seem to work.

the documents are encrypted within office apps (word, excel, outlook and powerpoint) and it has to authenticate itself to the RMS servers to get the keys.

dave