WAN -> LAN

You _only_ require ingress from the WAN to services the company provides such as a mail server, web site etc. Other than that all ingress _must_ be denied..... period!!!!

LAN -> WAN

Run the firewall with logging set to log all outbound packets for a working week and then parse the logs for the Destination Port on all the SYN packets on outbound connections. List them out, determine the validity of the traffic, remove the viruses, worms, RATS and trojans from the offending machines and then block all outbound traffic that isn't valid or is never connected to.

Let the needs of the company _guide_ you but be firm when implementing a security device when they say "but I need my Kazaa"...