there's no such thing as doing something and its done. you have to keep watching, going threw the logs and when you see something you dont like fix it.

personally i like to use the pstool kit to keep an eye on the network (tried for sms but they didn't like the cost). at least once a week i use a bat file and pslist to list the processes running on everyone's mach. you get to know all the process that should be running. every time i see something running that shouldn't be i use psexec to spawn a shell on that computer go to the directory the program is in, rename all the DLLs to d11, kill it and use net send to tell the user that running such and such a program on a company computer is not permitted. if i see it again i make them a restricted user on their mach put them in a group on the fw that's so tight they can't even see streaming ads. this may seem like a candy ass way of going about it but i got tired of reminding some users of the policy and being lied to. to me its just not worth the hassel and watching the running processes also helps keep spyware from gettnig out of hand.

you said before that your fw does SPI and therefore the average user should be denied the ability to d/l exe's (pifs vbs etc.). so if they bring them in and you catch them once or twice they are going to know they are being watched. if you use psexec and run net send from their own computer they're never sure just who is watching them. but you'll be surprised how few people actually break the rules and require this kind of treatment.

if you search your log files every once in awhile and do as tiger shark recomended when you find something and let them know you found it you'll keep it under control