This is a better approach, but as you say it does put the configuration overhead on the user - and many users will just click "yes" when asked whether to allow something.

So user eduction is important, but hard to ensure across a whole organisation for example.