Hey Jeremy - can you attach that spreadsheet for us !
There is a reason for doing this - although it is expensive, you can HEAVILY restrict the Internet Explorer options using policy editing and management - thereby not preventing users from doing whatever they want through their local IE settings - but ensuring that the users are very limited to their OneWorld system settings.
Management of the Internet Explorer client is a logistical nightmare - almost to the verge of having to maintain fat clients out there all over again. With users installing spyware, going to web sites and downloading hot-button software - we're back in the situation with the JAS solution of opening MASSIVE security holes as well as having to maintain precise and limited use of the Internet Explorer security settings.
The internet is becoming a darker place. Almost every single day I manage to somehow get some sort of tracking cookie or some sort of spyware installed - and I use Spybot S&D as well as Ad-aware. The problem is, of course, that spyware is being published far faster than anti-spyware can handle it, and it only takes a very simple background script to be developed on a website to literally slam a hole directly into your OneWorld data and gain access directly to proprietary information and financials.
I published a paper called "Hacking OneWorld" that goes somewhat down a path of securing OneWorld in these regards - but I think this needs to be expanded upon with regards to Spyware.
I know I went a little off-topic on this - but managing Internet Explorer through Citrix isn't as far fetched as you might imagine, given the potential expense of losing all your financial data to some unknown source...