I would like to the limit the damage a virus can do in a network. I was told that having one host per subnet with ACLs can do the trick. Is that the best way to limit the exposure of an attack? Because, if I were to have hundreds of users and machines in the network, wouldn't that be not feasible to deploy? I heard that some major corporations are already doing that. Is it really true?