I think it is important to disable wireless cards in laptops when a wired connection is present. Microsoft doesn’t. Steve Riley wrote about this back in October 2008. I blogged about that then. Now in a post signed by David Pracht but posted under MichaelPlatts’ userid, the Microsoft Enterprise Networking Team argues that it is no big deal to be connected to the internal corporate network in a wired fashion while you are connected to EVILROGUE hotspot in the parking lot. They says this because Windows 7 has “strong host” routing. Also you could disable the ability to connect to unapproved wireless. They don’t really spell out how “strong host” routing helps.
Disabling the ability to connect to unapproved wireless is not something I see happening in most organizations. “To improve mobility, here is your laptop. To improve security, you may not connect this to any wireless network except the one here at work. And maybe Starbucks”. Sounds like a recent Dilbert strip.
There is no valid reason for users to have multihomed computers. While personal firewalls when configured correctly should prevent intrusion by a parking lot pentest access point, why take the risk? It looks like you have a bad security posture.
Actually the Microsoft article left me wondering what happens if my wired connection is 100 Mb, but the wireless is 802.11n and is identified as having 300 Mb. If both interfaces have default gateways does the wireless connection then “win”. As I understand that article, fastest speed wins. Worth testing.