This is just a small piece of the puzzle. I'm at home now, but I have the code numbers from Symantec on what client settings mean.
We took a hard line approach and just say that ANYONE that connects to our network via any method MUST install and run our Managed version of NAV. No exceptions...
For Dialin I would check if they were coming in via Dialin or not and let them know. Since it is a large update I would probably only force dialin to update once every 2 weeks. The older versions did not update over a 56K modem, the new version seems to work by building up a piece of the update in the background and once it has the complete file it applies it. This could take a few dialins to complete, for those that don't work I would force it. For LAN/WAN yes, I would keep them up to the Parent Server versions. However, some clients have problems even though they are managed. On those I would FORCE the update via the script. There are too many little things that can keep a client from updating its self, thats where the script comes in.

The reason some clients fail is that somehow a GRC.DAT file gets a read only attribute, so it will never get deleted. I have a much bigger script that attempts to remedy known problems. Not done yet, I'll email you if you want, but I'm not quite ready to post the whole thing.

As far as other methods, we have a Firewall running on SUN box to all Internet traffic. has filters out the gazoo, we have a couple of different AntiVirus and filter routines on a Central mail hub that all external/Internet email must go through first. We have deleted and re-associate WSH to open with Calculator. We try to keep up our IIS Servers with the weekly patches

We do okay, but Nimda still hit a couple boxes. Can't seem to keep on top of all of the boxes out there. Some users bring in their own CD and install stuff on our Network. We often find out only after a problem arises.

Let me get some of the stuff together and I'll email you. Maybe you can help me finalize it and clean it up a little. Many SUB routines that kind of got messy.
Maybe we can work on it together offline since there appears to be at least a few others interested in this topic. Then when were ready we can post it and ask for suggestions at that time.

Let me know if your interested in helping out or not on a more complete solution.

[ 02 November 2001: Message edited by: NTDOC ]