I would add some things for the desktops:

1. User authorities should be based on least privilege. They should have enough authority to do their jobs and no more. Definately no programs to be installed.

2. No accessing private e-mail accounts.

3. No accessing Facebook or other crap like that.

4. No attaching of unauthorised equipment to either the desktop or the network.

5. No USB stick or flash drives.

6. Aim for a standardised build and create an ISO for it.

7. Disable autorun.

8. If you need to use external media then build a stand alone "sheep dip" with daily updated antimalware on it. All media must be scanned on this machine first.

9. Try to establish a superuser with local admin rights if you cannot support locally or remotely. This person needs to know what they are doing and take full responsibility for their actions.

10. Restrict internet access to those who actually need it, if any.

11. Create an AUP and get all users to sign it, preferably every 3 months.

12. Make sure that applications are secured in the same way. Trust me, the boss doesn't want the storekeeper looking at his salary.