There is absolutely no reason to expose your organization to unnecessary risks. Blocking access to webmail sites is doable with even entry-level proxy or bridge filters. Rule-based blocking of incoming an outgoing mail can also support this. "Don't ask, don't tell" is shorthand for "this is a tough issue to address with my coworkers and the leadership of my organization, so I'm going to ignore my responsibilites".

I thought Dodger was referring to users sending email via Gmail, etc., rather than the in-house email system.

You can prevent someone from accessing thier webmail account, but it is nearly impossible to prevent forwarding of email to one. Customers use those sites as well for their email, so blocking web mail sites at the domain level would be impractical.

Good advice Bob. You'll hear from folks who want to turn off webmail, confiscate camera phones, search briefcases for photocopies of documents... I guess because every person supporting PCs for a living dreams that they are a combination R&D expert and security sleuth!

If they want a copy they'll have a copy, period, and running the average business like a high-security prison is not an option.

Yes - you can block yahoo/hotmail/gmail BUT you will only block access to the popular web mail packages. You can block POP3/IMAP through the firewall. But the more blocks you put up, the more innovative users will be in going around them. Many users won't even worry about accessing the email from work - they will just forward the CYA material to their home email address, using the corporate email system and bypassing all of the firewalls.

Bob is right - telling someone they get to be the potential scapegoat isn't going to work unless you run the business/office like a prison and then you will only have workers that act like prisoners.

Actually blocking outside email access means that users will now be using the corporate email system for their lunch plans, jokes, etc. I find that keeping separate personal and work addresses helps protect me AND the company by keeping anything that might be questionable off their systems.

Although Jeff H answered with the "how," I think Bob's response as to the "why" trumps it.

Yes, you might be able to implement a technical solution to block access to web-based mail, or sending corporate mail to certain addresses (although I'd suspect that latter would be messy; there's plenty of businesses and consultants that use ISP-branded e-mail accounts, would you have to create one-off exceptions for these people?).

But just because you can doesn't mean that you should. I find myself in Bob's camp on this one on both a philospohical and practical standpoint. No matter what technical walls you implement, employees will always try to find ways around them (and usually succeed). Are you willing to invest the constant effort to keep up?

Secondly, the action is management by technology, rather than just pure management. If the company has a policy that specifies what can/can't be sent and to where, then the next time it happens, bring the issue to management/HR to deal with. They should be able to warn/discipline/fire the person depending on the severity of the action. After that happens once or twice, word would get around. Why would you need a technology solution when a management solution would do?

My daughter's junior high blocked all access to gmail. To get around it, they go to yahoo search and search for google and one of the options is google mail inside a yahoo.com window. Unless you think you are actually a policeman and want to turn people into management, then don't ask, don't tell is good. Unless it's a manager telling you then tell him how much that idiotic policy is costing the company in employee time and buy-in to other initiatives.

Mike makes an excellent point; the issue must be addressed on from the technical and management perspectives. A technical measure that does not reflect the judgement of the organization (structured in policies) will hinder rather than advance that organization. An organizational policy in this area that cannot be monitored and enforced from a technical front will not give HR the tools necessary to document violations of policy, which is a necessary component of governance.

There is a difference between the "average business" and a "high-security prison" as Sam S. mentioned. Different industries have different regulatory oversight burdens. Different organizations within those industries vary in their employment policies and their risk tolerance. The concept of "don't ask; don't tell" implies that the IT professional does not want to know about something because there would be consequences to supporting that behavior. Turning a blind eye to behavior that is not consistent with an organization's policies, culture, or values can't be the answer.