As I always interpreted it (and thus I could be wrong
), the security-tally and alert level is a system-wide thing, reflecting generally how aware the host is that it has been tampered with.
This seems like it is pretty much independent of where the intrusion is coming from, etc. Analysis routines would be monitoring traffic to make sure that nothing further is up, IC will stay on alert as needed, etc, until the system figures that things are back to the status quo. If you come in from a new jackpoint, I imagine that you'd be jsut as subject to scrutiny as if you re-logged in thru your old entry point.
This is of course my interpretation of it.
Some might like the idea of hosts having a different security sheaf (and perhaps different tally/alert sscales) based on whether the user is jacked in locally or from an external source -- but, the distributed nature of many hosts (possibly not even hosted on-site, if we follow our dedicated hosting pattern for current net servers) might mean that even legitemate users are not "local", but are simply from a set of known hosts/jackpoints; thus, it's likely that a host would be equally paranoid about all connections, traffic, and processing requests.
Or at least, that seems like how the prident system designer would do it ... (but, I will also admit, since when have the SR matrix rules been based on reality?
)