We are redesigning our IT environment (software and hardware) and are looking for a solution in which our systems will not be vulnerable to any type of threat from our internet connection (web browing, email, IM, FTP, etc). Today's typical solution is to surround ourselves with expensive and complex layers upon layers of detection software and appliances, and new companies are popping up daily with these products. Instead, how can we design a system (or overall computing environment) that is not vulnerable in the first place? I feel that there is enough technology out there to do this, I just have not figured out the right mix yet. For example, our research has included the following: thin clients, ASP hosted apps, PC blades, streaming O/S and apps, virtual PC's and servers, diskless Linux workstations, non-mainstream vendors, multiple system domains and user profiles, isolation servers, O/S freeze type of products, etc, etc, etc. We've come up with a number of possible strategies, but all have some limitations or flaws. One thought was to use a thin client device with an embedded browser for the bulk of user web browsing (so Internet born threats cannot affect it), and connect with a Microsoft Terminal Server to access Microsoft IE when necessary, and that TS server would actually be a virtual server that got rebuilt every night to clear out any malware, etc. We would also setup a virtual Terminal Server for an email client. This does not make us vulnerable, but it does come close, but there are user profile and other issues (limited embedded web browser, etc). Ideally, our ISP should provide a clean threat-less internet connection, but that has not happened. I'm open to any think-outside-of-the-box creative solution. Our company has about 50 users and are currently running Win NT, MS Office 97 Pro, Exchange 5.5, and Outlook 98. Any suggestions?