Perhaps I should be a bit more clear. Firewalling is a given. In an enterprise environment, it is good practice to lock down workstations. 75% of attacks originate on the inside. In my case, the network was in such bad shape when I started here, the inside/outside was a gray area. My approach will give you significant protection against casual "hobbyist" hackers and the obvious worms and trojans that seem to creep into the network.