I recommend this for everyone. I think it should be the default.

Now not everyone will be capable of doing all of this but I still think it's a good idea for everyone.

What everyone can do and should do by default because you never know and better safe than sorry: You definitely shouldn't mix personal and private on the work laptop. Nothing private is done on the work laptop. If we're at the office, use your mobile device instead. If you're at home, your own laptop/computer isn't far away, use that. It's really not so hard to type in some URL or do a quick google search to "earmark" something interesting your found during work on your personal device. And yes I'd go as far as "just a spotify account".

Network wise I agree, "guest" Wifi should be the minimum. Even regular router firmware AFAIK should all have that nowadays, so definitely put the work laptop in that one. Much of the HN crowd should go further and have something like Tomato where you can define lots of virtual wireless LANs and if you're the "wired" guy, put the work laptop onto its own VLAN on a dedicated port and never plug it in anywhere else. There is so much corporate spyware out there that you never know if you can really trust your company or its employees not to snoop around your network. It's so easy to set up that it should be a no brainer even if you fully trust both your company and all its IT employees and their boss and boss' boss etc. And they don't even have to actively snoop now, just regular operating system auto discovery stuff that ends up in logs can be enough for 'later'.

I go further w/ the wifi and actually have an automated access restriction set up that disables any network traffic from some time in the evening to my usual start time in the morning so the work laptop won't even be able to communicate w/ the internet let alone corporate headquarters during that time. It doubles as my "oh it's that late already? I should really stop working and make dinner" reminder, when network requests suddenly start failing ;) but it's easy enough to re-enable temporarily if there's an exceptional situation going on.

> There is so much corporate spyware out there that you never know if you can really trust your company or its employees not to snoop around your network. It's so easy to set up that it should be a no brainer even if you fully trust both your company and all its IT employees and their boss and boss' boss etc. And they don't even have to actively snoop now, just regular operating system auto discovery stuff that ends up in logs can be enough for 'later'.

True, the EDR product (one of the big names) has this feature where it explores the network environment around each laptop using nmap-style techniques.

This feature is also actively being used so I've decided to do the same at home, set my work computer on a locked down VLAN.

I loved the timing restriction. So bad I can end up working on unusual hours sometimes, or I'd consider doing the same.

How often is "sometimes"? How regular is "sometimes"?

I ask because Tomato for example makes this relatively flexible so if you work certain hours but different per day that's easily done with just regular configuration through the UI. I have it set up to completely block the work WiFi on weekends for example.

If it's something like an on call week or something like that I would still set it up and only temporarily disable the entire rule if a page comes in that needs attention. If during pager week you basically need constant access consider whether this is a place you really want to work. If no efforts are being made by everyone to reduce the amount of pages I would strongly suggest you don't want to work there.