"A long, long while ago somebody wrote an article on an OS with default-deny as policy, where you (as admin) have to approve each and every bit of software that wanted to run/install itself on your purdy compootah."
You know Windows tried to do that with Vista, with UAC. The end result was exploits STILL going through due to a psychological phenomenon once called "hoop jumping" and now better known as "click fatigue". The problem with default-deny is that it irks users to do it over and over and over again. Make something annoying enough and people either "zombie" their way through it or find ways AROUND it.
IOW, there's just no pleasing some people. Our current situation is untenable, but so is default-deny to the average user. So what do you do?
Biting the hand that feeds IT
