Comment Don't let a server call home! (Score 2, Interesting) 600
Why should a (web)server be allowed to issue any request ? It should be configured to answer queries only, no ? iptables is great and easy to set up for that task. Even for software update, one may push the package needed to the target server in place of the usual pull from the target; so no exceptions are needed on the firewall.
For desktops it's a little bit more complicated... but using a home partition mounted with noexec should suffice. Installing a new software is not a casual issue but a real event and should be taken care of by someone knowing what he's doing. That's why root was invented, isn't it ?