I'm not sure how these would have helped contain Manning. The access-control part of this infosec failure was on a higher level (Manning's admin access crossed compartments). "Server-side" access control didn't fail, it functioned as expected. Monitoring did fail, but that's another story.

Zooming out a bit to the security bits of IP packets, that I had completely forgotten about - are those actually used/useful in this Layer 7 era? How?

I can't think of a single use case. I would expect even the sensitive/non-sensitive routing decisions to happen on a per-host/subnet basis (e.g. 30.x.x.x stuff goes through this pipe, other stuff goes through the outside-world pipe)

For one thing, you don't permit information that has different classifications, or is in different compartment to be stored together on one computer.

So if he has access to top secret information, he shouldn't also be able to download Easy CD Creator with Internet Explorer, nor should he have been permitted to put what appeared to be audio CDs into the burner.

While one could argue his PC should not have a burner, there are good reasons for top secret computers to have them, however one should not be permitted to insert any but top secret CDs, and after burning there should be a way to enforce that they are stamped "top secret", and finally he should have been searched on the way out.

So a sys-admin wouldn't have full access to install software on his own machine? Which they wouldn't have been able to override, even given long periods of time alone with the hardware?

It is hard to imagine that the tools provided by the factory image (however heavily modded and supplemented that may be) would enable him to do everything he needs to do, without needing this or that approved by someone all the time. They are the guys who, in most other organizations, would approve or reject the third-party application. It is certainly a curious concept to me, to have a sysadmin without admin privileges (on his client, at least). I guess you could pull it off if you reduced the sysadmin's job to "look at some status output -> press GUI button. occasionally, call someone", but I'm fairly certain that you can't do that with everyone. What about the DB admins?

In any case. I dare say that you couldn't have stopped him. You may have contained his information access to a more limited scope[1], you may have limited his "bandwidth/throughput", but you just can't stop a dedicated whistleblower. You can't stop data exfiltrations, period. After all is said and done, and you remove all tools that could have been used to exfiltrate data (everything), the guy will memorize the document, go into the toilet, and write it on his thigh, or whatever[2]. Even though I suppose that at that time, it is info exfiltration, and it has less press value.

Manning's method was almost 0 risk to him (at the time, and "considering...") and offered 740MB bandwidth per round trip (if it wasn't actually DVDs). That's a pretty good bandwidth/risk ratio. Some more extreme alternatives would include SDs, micro SDs, tiny USB drives, and.. well, I don't need to paint you a picture - just look at drug mule tricks for inspiration.

[1] Snowden, not Manning. Analysts need info.

[2] There are several hundred steps between the current status quo and that extreme I just mentioned, but at the end of the day - you can't plug the analog hole that is the human brain unless we start wiping memories. And even then...