[mikester]

+1 on the 'It depends'

Is there a legal team involved or not?

Smaller environments have less rules but in larger environments the general user population has ZERO real access to the internet (or shouldn't at least).

Any access to the internet is through a filtered web proxy. The user networks don't even need a route to the internet at that point - just the proxy server. This model means the firewall from the inside to the outside is far less complex and I would argue should work well in even a small environment that has multiple subnets.