Move the firewall inwards (Score 2)

It's a long time since I had any involvement in corporate IT networks; and I realise that a lot is easier said than done, but if I were designing one from scratch today; I wouldn't treat any physical internal employee work location (ethernet at the desk or office-wide WiFi) as being any different to the wider Internet.

This would enable an infrastructure to be set-up where protection was focussed around the core services and the communications channel between them and the accessing client rather than having to worry about what is actually going on at the employee's desktop; because even if you do restrict external Internet access your employees are just going use dongles or their mobile phones.