Should have been more specific. Almost no Windows Machine in this environment, other than a handful of servers has internet access. Even those that do, need to connect through a Proxy/Firewall requiring user / pass to get out to the net.
Of those servers, is the SEPM server and the WSUS server. Both need to authenticate (manually) to get out. Part of the twice daily tasks...
I see way too many administrators struggling constantly to "clean up viruses" and "malware" on production machines to run that risk.
We had an outbreak here once, about 5 years ago... Never again. No external devices connected to the network. Any materials that do come in on USB / external drive, etc. are scanned on a non-network controlled environment before being allowed access into the network.
Mail server has a SPAM firewall with 2 AVs sitting at it's border and the mail server itself has SEP installed on it. Paranoid much? Yes most definitely.
We have setup an "intenet cafe" for all employees, they are not connected to the internal network and can browse freely or just about, limiitations on the net.
We are considering placing an external AP for employees personal laptops as well to have a direct connection to the intenet without worrying about comprimising internal security.