Our government agency has a need to allow our 911 Dispatchers access to the Internet on their MS W2K PCs. The problem is they pull in tons of virus/trojan junk, while doing so. These PCs are on our flat (yuk) city wide network.

We would like to apply the following solution (please feedback on):

On our DMZ, setup a Microsoft Terminal Services server which will be dedicated to servering a Firefox session to each 911 PC for Internet browsing via a dedicated NIC.
The thinking here, is they are not running a browser on the PCs, but an emulated browser, thus the virus occurrance would be on the MS Terminal Server that's isolated from our city network. The other NIC would allow them Intranet browsing only and access to email & files, etc.

Moved: Not a Linux related question. This thread is more suitable in the General forum and has been moved accordingly to help your thread/question get the exposure it deserves.

dont see why it would not work. TS is very good if the server is powerful enough, but keep in mind that means a TS client license for each work station.

second, why are they downloading stuff if they are dispatchers? id just put up a much more secure firewall ruleset that prevents them from just browsing the web, also set up AD permissions and reduce every 911 dispatcher down to most restricted accounts so they can no longer install anything.

AD and a strong firewall rule set will stop 99% of the viruses from getting into your network and also help keep the dispatchers productive instead of waisting time playing around and downloading cr4p they should not be in the first place.