There are a couple of ways to go for firewalls. I've had excellent luck with the D-Link (DI-604 or DFL-80 or DFL-300).For just a couple of dollars ($60 to $200 depending on features you need) you have a hardware firewall that you can easily open up only a few ports or even set it up so that only certain computers have access to browse. The high end way to go is the Astaro linux based firewall which includes virus scan that is updated every night. A LOT more options as to who has access to what and what can be blocked. Keeep in mind that the blaster virus did NOT attach itself to email but directly attacked Windows 2000/XP workstations through port 135. If you only open the ports you need you stop that kind of attack.
I prefer hardware based solutions rather than adding more software to the workstation (more sources of conflicts and why have more things for the user to deal with).
Regarding the issue about `trusting ' the worker it's the old 90/10 rule. 10% OF the employees will cause 90% of the problems. Setting the system up to AVOID problems makes more business sense than chasing the problems after they occur. I've repeatedly had to go in and deal with situations where an employee was addicted to the gambling sites. Just recently had to deal with a child porn problem. One situation an employee FILLED the server with more than 60GB of downloaded music. At this point there have been multimillion dollar judgements against employers for allowing employees to download music. Employers have no choice but to protect themselves. It is the employer's equipment and network and the employer WILL BE held responsible for misuses of it.