[flai]

Does "VM it" work? I mean, there is PCI and USB-passthrough in qemu, so this might be an option, especially since VMs are easy to sandbox (easier than physical machines where someone might simply plug a cable in so he can watch YouTube, for example).

[xenophonf]

Mitigations only make sense in a cost-benefit analysis when there's a corresponding threat. Why would someone bother with watching YouTube on a junky old PC in a corner of the lab? It doesn't even have an audio card, let alone a modern web browser. Besides, it's on an isolated VLAN and monitored (and backed up) like a server, so anyone messing with its network connection will cause the equivalent "server down" alert in our NOC, not that it will do them much good: This particular lab is in a pretty remote location where network bandwidth is at a premium, so we block YouTube campus-wide.

Frankly, I'm only really worried about malware somehow sneaking aboard the thing, which is why it's on-network in the first place. I don't want people plugging flash drives into it. And fortunately, there are still antivirus products that support Windows XP, which keeps the riff-raff out.