Thanks Craig, I'll go with that.

I've thought of one crazy scenario that I may go through with that I think would accomplish what I'm wanting:

Open up permissions so that anyone can assign any virtual adapter to any virtual switch port group.

At the same time lock down permissions so that no user can modify any virtual switches at all (other than plugging VMs into them, which really isn't "modifying").

Then for the one that I don't want them plugging anything into, I change that one to only have 8 ports and reboot the host to take affect.

Then I create some dummy VM that possibly doesn't even have an OS. Call it "Space Occupier". Install 6 virtual adapters in it. Plug all of them into the "locked down" virtual switch.

Lock down that "Space Occupier" VM so that no user has access to modify it in any way (not even power on/power off). Set it to automatically power on when ESX is rebooted.

Simply keep that VM powered on all the time so that all ports in my "locked down" virtual switch are already full thus none of my users can use it.

My goal here, by the way, is to run m0n0wall or someother NAT'ing VM applicance attached to both an Internal Only virtual switch and also one that's attached to the outside world. I want my users to have full reign to use the Internal Switch all day long but not the one that's connected to our corporate LAN. This would essentially give their VMs protected access to the Internet without letting them on our corporate network which I think will make network security folks and my users happy.

We'll see!

Ah, the old "port hogger VMs" :). Might just work...

The one thing right off the bat is you'll need a couple of VMs as you are limited to 4 NICs per VM....

Yeah, I think it would all work well except I found a chick in the armor last night. After looking and looking for a place to add a folder structure or some object where I could apply permissions to, I finally found in the documentation where it says you can't set permissions on a per VM basis when ESXi is managed directly instead of via VirtualCenter (darn that free hypervisor!). Very annoying. And without a service console it doesn't appear that I can set file permissions on the folders in the datastore I'm using (do permissions more manually, which I'm not a big fan of anyway). So basically either I use the free VMware Server which doesn't perform as well from what we've seen on high-end servers (8-way, 24GB) and we can lock down every little piece all we want or we use the more powerful ESXi but it's an all-or-nothing game. Oh well. Probably going to stick with ESXi. Maybe they'll fix the permissions-thing in future releases. We'll see. ... Maybe I'll head on over to the "feature request" forum...

My suggestion for future releases