>> 1. (users having confidential information the org does not want to leak)
>> computers with access to such information should not be internet-
>> connected; keep on reading...
>You're living in lala-land
Separating out your sensitive data processing from your general internet access is a highly sensible precaution when you don't want your sensitive data to be exfiltrated The fact that many organizations allow email and web on their sensitive machines is what makes spear phishing so easy (see RSA). Sensitive information is much easier to protect if its kept in a controlled environment and you use remote desktop technology to access it.
The only way you could say this is lala-land is just to point out that most organizations take nearly zero precautions for protecting their data and then just stand around looking sad when something bad happens.