CryptoProtect is not doing this by Remote (anything.) It's just one of many reasons I see what you described.

There are tomes about how such happens such as and the links there.

As written I don't agree with more firewalls. It's more of an issue where your users click or run something they shouldn't have.