Good evening, and sorry if this is a stupid question.

We have a test BES and a handful of test users on Curve 8310s. One user can discovered that they can browse the intranet, and after I tested further OTHER servers on the internal network, whether on the DMZ or not!

This is very scary behavior, I am not sure how it would be able to do such a thing. The BES is on a virtual machine on an internal host. Is this known behavior? Is there a place that I am not seeing to turn it off? Any insight would be greatly appreciated!