Yes. I thought of this because a year or two ago, someone posted here recommending that we isolate Windows platforms each to its own /30. A little lightbulb went on. And I remembered it today when EverydayDiesel described his issue.
A DHCP "fixed" address assignment is no more secure than a static IP address. There must be trust by the admin that the user will use them. If the system cannot be trusted, then the admin must select one of these three options:
- a VLAN must be used
- an isolated Ethernet segment must be deployed.
- the admin must reconfigure the user's workstation using a 30-pound/13-Kilo sledgehammer.
Option 3 is probably the most fun.
But alas, it is also career limiting.