> "For those that haven’t already, disable autoplay in Windows; this alone can save you quite a bit of grief. It is absolutely unreal how much trouble autoplay can cause on a Windows system where the user is logged in with administrative privileges."
And your surprised you had viruses on your network?! Firstly autorun should never be enabled at all, ever and secondly the users should never have administrative privileges! What do they NEED them for?
Personally, as well as disabling autorun and the other obvious stuff I lock down the system with a software restriction policy to only allow programs to run from C:/ program files unless your a local admin. (which by extension means network admin, because users do _NOT_ need admin accounts.) Hey presto, in one fell swoop i've blocked trojans from being run regardless of if the users download them through either through a web browser, email client or a USB stick.
Apart from the fact that most windows "sysadmins" are morons I can't see why other people don't do the same, it near completely closes off possible attack vectors to the desktop.