I read with interest the recent example solution architecture article posted on Technet. It goes through the logical architecture of a School MOSS implementation. They have some good recommendations on hosting hardware and have some interesting comments on the way they handle media hosting.
Of Course being good consultants they provide nice visio overlays of the logical architecture:
.gif)
However I was surprised to see the following:
| The solution is composed of two sets of sites: Each set of sites is grouped in a separate application pool. |
Basically they are saying that staff sites and student sites are hosted in the same web application. I hope staff aren't going to put sensitive information into their sites, because it would only take one human error assigning permissions to give students access to the site. However if the students and staff are in separate web applications you could use web application policy to block students, so even if they were accidentally given access by a human, they would be blocked.
I'm sure this has been thought about by these guys because further on in the article we find:
| You want to use zone policies to enforce permissions at the Web application level. For example, you can create a policy to deny write access to all unauthenticated users who view content on the public-facing sites. |
This is a classic example of where web application policy is so helpful and why it really pays to have a think about the implications of your design.