Another good reason to keep CI locked out from other networks is to make sure all asset references are properly rewritten. Of summertime hard codes an open internet source or, even worse, an internal source, that will generate a 404 when testing, and any unexpected 404s in the log are instant test fails.