Kick them off
1) Identify a zombie
---a) Researchers or a cohort of ISP techs agree an verify that a particular computer is acting as a zombie
2) Inform an ISP of all identified zombies on their network, giving them a 48 hour deadline
---a) Zomibies' ISP blocks affected computers and informs users why.
---b) Affected systems not allowed back on until they are verified clean.
---c) Users added to a "watch list" so no other ISP will accept them until system is clean
---d) Users may need to pay for cleaning/verification
3) ISP responds within 48 hours that all zombies are now blocked
---a) Zombies probed - if blocked, all is well
---b) If still live, ISP faces risk of blacklisting (>5% still live, immediate blacklist, <5% ISP has 3 hours to block)
4) Once 48 hours deadline passes with no response that *ALL* zombies are blocked (99% is not good enough), ISP gets black listed.
5) ISPs required to inform users of their responsibility to ensure that their systems are secure. The users should also be informed that they may well be held liable for all costs and penalties the ISP incurs as a result of the user's lax security.
There is NO EXCUSE for a computer being on the net without security. ***NONE*** Even Windows can be secured to a reasonable enough extent (and for free).