The most insecure part of any network tends to be the users. It's hard to say what vulnerabilities are there without a more specific listing of policies used. Depending on the need of flexibility on the user's machines, you may want to disable their ability to load any kind of executable.

Are you saying the manager does not want patches applied? That will be an issue as future vulnerabilities are revealed both for software and hardware.

The IIS and SQL servers need to be evaluated very carefully to avoid potential "common" holes. I assume there is a web app running on this server? If there is, the application is a potential security risk through SQL injection and the like. You may also want to consider isolating them from the rest of the network by placing them in a DMZ. If there is no web app, I'd suggest shutting the services down. No sense in opening any doors that aren't being used.

It looks like you want to strongly consider an anti-virus that runs on all client machines. Viruses don't always come from emails so there needs to be a more comprehensive anti-virus solution installed.

These are just basic ideas. Hard to get more specific without more specific on actual installed hardware and software. Hope this helps!