One of the features in Windows 7 is called Direct Access (DA), DA is a mechanism in which a organization can de-perimeterize their network.
De-Permitization is the re-thinking of traditional corporate networking (see: Jericho Forum for more information on this), the basic idea is that hard-candy shell around the corporate network of yesteryear just doesn't make sense when were poking holes in firewalls left and right to enable business scenarios.
There are lots of DA deployment models, but one thing they have in common is that they are based on the pervasive deployment of IPSEC for authentication and confidentiality of traffic.
From the users perspective what it enables is the seamless access to resources on the corporate network even when you are not on the corporate network, well you say that sounds like Remote Access (RAS).
And to a certain extent it is just that RAS, you could even think of it as RAS with Single Sign-On (SSO).
That's all fine and good but really what does that mean to me? Well lets say I go to Hotwire Coffee, I bring in my laptop and I cold boot it, at the logon screen I login with my smart card like I do every day, as soon as I am at my desktop I use the wireless connectoid in the system tray to connect to the free-wifi there, I open my browser, and I automatically go to my corporate intranet site which was set as my browsers home page.
At no point did I have to do anything special to connect to the corporate network, just logged into my PC like I do every day and connected to the free wifi like I do any other time.
Its that simple...
So why is this so "different" than the way corporate networks normally work today? For the most part corporate networks have a device on the border of the network that terminates a tunnel that bridges access from the outside to the inside.
In the case of Direct Access this is just one deployment model, there is another that has that border device just check to see if the traffic is IPSEC encapsulated, if it is that traffic is allowed to flow into the network directly to the hosts they want to connect to.
This second deployment relies on each of the end-points natively understanding IPSEC (which Windows has for a long time), if they did not they could not decode the IPSEC traffic thus its dropped on the ground.
The gateway serves some other purposes also, for example it can provide DOS protection and other core services necessary for a secure, scalable deployment.
In these DA deployments you can do a number of things, for example require that only machines that are domain managed that are logged into with a user in a particular group that has logged in with a smart card.
You can even overlay the concepts of Network Access Protection onto DA so that you can restrict access to those machines that meet the corporate IT "health policy".
There is no way I can do DA justice in a blog post, but from a user experience and security standpoint its pretty cool.