Okay, so what I'm getting from people is the following:
Setup A:
- Swap out Outlook Express for an alternate mail client. Perhaps Eudora or (my suggestion) Thunderbird.
- Install a proxy, and block outbound connections from the machines themselves.
- Disable all unneeded desktop shares.
- Disable booting to removable media in the BIOS
- Password protect the BIOS configuration.
- Lock cases that have the ability to, and favour cases with such security features over ones that do not when looking at upgrading.
- Configure desktops to log to a central logging server.
- Utilize SUS to handle automated critical updates.
- Set domain and local machine policies to restrict logon hours, local logons, etc.
- All desktops should be set to lock the desktop after 10-15 minutes of inactivity.
- Centralize and Homogenize the AV for the network. Consider alternatives to Symantec AntiVirus, as it does not update as frequently.

Setup B
Identical to A, with the additional step of DMZing the network, and blocking traffic between the clients and servers except for on the necessary ports.

Missing anything?