Construction company Barton Malow takes the hard-line approach, using proxy servers to give employees access only to sites deemed business-relevant. It works with business units to add sites to the list or give limited access if there's a business need. The company controls access to Web apps through ports in its firewall. "It's not perfect, but it is very effective," CIO Phil Go says.

The Bottom Line
For many IT managers, talk of expanding access to Web apps or giving employees more control begins and ends with security.

With the increased revelations of system breaches and vulnerabilities, and warnings about all manner of other misconduct employees are capable of, it's no wonder that business technologists are paranoid. "We've found things like active prostitution rings being run out of organizations," says John Amaral, VP of research and development at content monitoring and filtering company Vericept. "We've found corporate espionage, people falsifying claims of sexual harassment."

But security concerns can become a crutch for IT teams, Gartner's Smith says. "If they put policies in place and make it so that people go around them, they end up opening up bigger security holes," he says. For instance, severely limiting E-mail storage can encourage employees to use a free service like Google's Gmail, putting sensitive information at risk. Better to just give employees the E-mail storage they need.

Overbearing security can hurt productivity. The software developer cited earlier relates how the IT department's fear of malware has led to an over-the-top computer hygiene regimen that even shuts off a PC's audio, cutting him off from Web conferences and seminars. Then there's the matter of basic computer performance. "I don't mind the scans when I go to a Web site or the prolonged downloads," he says, "but when my cheap, underpowered computer at home kicks butt on my work computer, there is something wrong."

ProBusiness Services, a division of payroll services company Automatic Data Processing, gives considerable flexibility to its tech pros at least. Senior network engineer Bob Pierce uses lots of open source security tools, such as Nessus and LaBrea, not sanctioned by the IT shop. "I kinda come from the Wild West, so I definitely would push back against any policy that prevented me from downloading software that I needed to do my job," Pierce says. "Almost everything I use is not supported by the organization."

That doesn't mean companies should give employees carte blanche, Pierce says. Anything imported must be run through security checks to ensure that they don't contain viruses or spyware. Any output from the unauthorized software must be compatible with corporate software standards--spreadsheets that produce Excel files, for instance. And don't expect the help desk to support the unauthorized stuff. "But having a blanket policy that says you may only run our standard applications is awfully shortsighted," Pierce says. "People work and learn in different ways, and having some arbitrary decision made isn't a very realistic perspective on productivity."

The pressure isn't going to let up on central IT teams, whether it's from people like Pierce on the inside or from an outsider like Bennett Haselton. Haselton, a programmer, runs Peacefire.org, a site that helps Internet users figure out how to bypass filtering software. Some sites, like Boing Boing, offer tips on their site for how to foil business's Web filters. "I've always thought if your employer needs to censor your Web access to keep you productive, then your workplace rewards must not be very performance-based," Haselton says.

Employers are limiting the use of unauthorized technology, often for the sake of safety. The question is whether IT's caution creates too much drag. The challenge ahead for IT organizations is to strike the right balance --and to maintain that balance as the ground shifts.