One of our clients wants to open the Internet through the internal network, and give the users rights to use their local floppy and CD. What is the security baseline for something like this?
There are several things that should be evaluated, and added to the client's security policy (some companies require their employees to sign an Internet usage policy as well). First for the Internet. Among items to consider is whether the company wants to control access to the Internet, more specifically whether to restrict access to some sites (porn, Web based e-mail services, hacker sites, etc.) This is best handled with Web filtering and content control software.
Also, do you allow employees to freely download software/shareware and install on their company PC? Do you allow employees to use the Internet for non-business purposes (shopping, reading magazine sites, etc.) The Recording Industry Association of America (RIAA) will certainly appreciate a mention within your policy regarding downloading of copyrighted songs.
Some of the same items apply to use of their local floppy and CD. Do you allow users to install their own software? Do you allow them to burn CD's of downloaded material that may cause problems? The idea is to determine the uses that will be required, or allowed, and the uses that should be restricted. That will guide you in the policies that establish the security baseline. As a suggestion, one place to see sample security policies is the SANS Security Policy Project found at https://www.sans.org/resources/policies/.