Agreed. However, it is possible the achieve rudimentary "proxying" if you have a section of your network that you really want to keep away from direct Windows contact.
I look after a testing lab (broadcast based tech) and none of the lab machines are on the domain for isolation reasons...long story...bottom line is, some of the tools they need require admin rights because they suck and/or were built by cretins...my predecessor had problems with viruses before because of the lax permissions, I therefore decided to remove domain access (they don't really need it, email is Office365 now) and direct access to domain resources (i.e. file sharing).
To do this, I have a Linux box that straddles the lab network and the main company LAN. The Linux box has a dual 10gbe NIC and is connected to a 10gbe switch which also has the file server in (also 10gbe), there is also a quad port gigabit switch which I have configured as a LAG on a second gigabit switch on the Lab network.
The Linux box has a volume mounted over iSCSI which is on the Windows File Server and is re-shared via Linux using SAMBA.
Users in the lab still have mounted network drives, but not direct access to the Windows box. Therefore any creepy crawly wormy things can't directly attack the Windows File Server.
It's not perfect, but it cuts out a lot of attack surface and is easy to monitor / switch off if I need complete isolation in the event of one of the technicians doing something stupid.