Layers. These boxes don't have removable media, so you can't move software or data around. The 'rbash' shell not allowing a directory character in a command or file name further blocks the possibility. The company firewall blocks access to this address range. Actually, the reason the O/P's idea won't work here is that we block access to ALL local ISPs, from Comcast, SBC, Road Runner. etc., on down to the "Mom and Pops" with a /24 and a T1.
"We" don't. The computers are owned by the employee association rather than the company, and share a separate broadband connection to a local ISP. The company provides power and physical space, but that's it. Abuse is controlled by the fact that the systems have limited capability, and by peer pressure.
We had an industrial espionage incident back in the 1980s. There was considerable screaming and gnashing of teeth. We're the company's R&D division, and our income depends on corporate profits, not so much as on sales. Information Security has a direct (as well as indirect) effect on those company profits.
Old guy