Insecure applications

Anyone who deals with network security has run into this problem:

Department/powerful-user buys an application for a lot of money. They would like it to work please. Application's requirement state, "disable all security systems so our crappy-app can work unencumbered." Crappy-app runs into network security problems and dies. Department/PU contacts IT and asks to have network security disabled so their expensive crappy-app can run correctly.

What happens next is a very good test of management's commitment to network security. Will management say:
  • Hmm, that's a lot of money. IT, make an exception for this app.
  • Hmm, that's a lot of money. We'll have to make it work somehow.
  • That's a really insecure app, too bad you spent a lot of money. It will not be installed. Let this be an object lesson to you all.
We just got a request for something like this. Apparently the application's requirements include disabling the Windows firewall. We've turned it on by GPO, so it will always be on. This is the secure way to live. Whether or not we get told to make an exception, make it work somehow, or ignore it remains to be seen.