> Can anyone poke any holes in the method or come
> up with advantages to using a gateway?
Yea, what happens when someone within your organization erects a
service that listens on a non-privliged port, (or SMTP/NNTP), and
execs a shell, e.g. an 'inside' job. Don't say it can't happen.
Worse, some remote interloper contacts an X server (port 6000, well
outside the priv-ed range) with*IN* Borland, and starts grabbing bits
off the 'screen'?
The idea behind what Xerox, Sun, and other companies do is to completely
shut off access by not passing *any* packets. The proxy services are just
a way to restore part of what is lost by doing this.