Its time to admit

that trying to make computing user friendly only makes it virus friendly.

People are going to have to play in sandboxes AND learn simple security procedures. This may sound onerous to some but when I've managed to explain it to management the response has been 'that's just what we want in the organisation'.

Getting them to sign exemption forms so they take responsibility when that security is removed from their PC's can 'do something operationally sensitive' is another matter.