From: "Geo" 

"Richard B."  wrote in message
news:stp5s0dlmec4es1ja9nnnumnqgdpmfvb5b{at}4ax.com...

> He would want email and file access which would let him touch some
> important devices like the mail server.

Email is no problem, that's just port 110 and you can limit his inbound
access to just the mail server. The file access is another issue since many
virus now spread by windows shares. You would need to either limit his
access to read only or run some AV software on the machine he has file
access to and even then you still run the risk of someone rooting his
laptop and using it to copy or delete your files.

One way to at least limit that last part is to configure his machine to do
a VPN and when it does to kill access to anything but that vpn (you would
have to use a script to route the 0.0.0.0 route to some non-existant
address within the vpn to make that happen.)

There is one other option, you can set him up so his machine always vpn's
to the office and all internet access is forced to go thru the vpn so it's
just like any machine at work. That might be slower and more limiting for
browsing the net but it would be a hell of a lot safer.

Geo.

--- BBBS/NT v4.01 Flag-5