> I'd say, the job a network admin is to provide positive services: reliable transport of bits, reliable DNS resolvers, etc. Beyond that, a network admin should not look at what users are doing with those bits.
I'll be sure to tell that to the regulator overseeing my industry and my Compliance department.
Maybe you don't want to place that solely on the shoulders of the network admin. These days most network data is encrypted, so the network admin cannot do much.
So either the host must be trusted to conform to policy. In which case it up to the host admin to avoid bad setups, or the host should have no (direct) access to the internet.
I'll be sure to tell that to the regulator overseeing my industry and my Compliance department.