They literally had every system air-gapped in the server room (except for the one with Internet access). So if you plugged into the accounting port you could only access that server. If you accidentally plugged in a cable from the Internet port to the accounting one it was a fireable offense. Welcome to healthcare IT where the vendors make all the rules and take all the shortcuts. Users need local admin privileges to run apps? Absolutely. Does web app only run in IE11? You’re lucky they updated it for IE11. Does every vendor want its own SQL server (not instance, server!)? That’s just how we do it. Hope you like having a dozen different versions of java installed on your machine because each government website you have to visit requires one and only one version and they’re all different! I also forgot the app that doesn’t work if the server is on a domain. Doesn’t matter what GPOs you block it from receiving, throw it on a domain and it breaks.
Previous life. Reminds me of one customer we were supporting where another tech-consultant discovered everyone was a domain admin. He disabled this, we dealt with the flack in tickets actually sorting things properly. A couple of weeks later they got a locky virus on the site. The damage was minimal as the compromised account (test1) was only able to access certain things lol. I work as a programmer and I’ve had many cases where I needed to install new software, often with admin privileges, in order to do my job. I’ve even needed to install different drivers on more than one occasion. I’d actually consider not having admin rights on my computer to be a red flag.