I am auditing some PIX firewall configs and had a question for anyone who maybe is a network engineer type.
Should an organization have the Traceroute turned off or would that not really matter? How about allowing "ICMP pings from Any"?

Thanks ahead of time.:)

If you're really security conscious then there is really no need to have anything enabled at the firewall that your users don't need. Although such an approach can be a headache for some users as they may discover that they need access to more than has been allowed and have to go through the admin to get the access enabled it really is the most secure.

I know that doesn't answer your question, but if you don't know about the security dangers of a particular protocol and your users don't need it, then why take the risk and enable it?