In a Windows business environment, use an Active Directory domain and clamp down on all the users permissions. This creates some minor problems up front: inevitably there are applications that need to write to odd directories and the permissions will prohibit that. An admin will have to figure out what directory is being denied and give all the users of that app permissions to write to that folder.
A great many of the problems with Windows in the business environment are vendors writing software that hasn't been tested in a locked-up domain (which is totally bizarre and lazy on their part). ACT!....CaterEase....even Palm OS won't function correctly. Out of all the problems I've had Palm OS is the only app I've been unable to make work. That's OK, I just tell people to buy an ActiveSync compatible device or they can't use one....period....end of discussion.
As for Internet Explorer at home: simply download the IE 5 Power Tweaks from Microsoft and install them. Then go into your IE options and under Security disable or restrict all scripting, Java and ActiveX.
When you go to a site you trust -like your bank - that requires scripting etc, click on IE's Tools menu. Power Tweaks adds a "Add to Trusted Zone" option there: click it and refresh the page.
It's a little bit of a hassle until you have all your sites in the list but, it's kept me free from spyware for several years now and once the bulk of your trusted sites are listed, it's no problem at all.
Mozilla's a great alternative too although, some functions still won't work on it correctly....those will be fixed eventually as demand for it grows. I'd use it full-time now if the Kiosk mode worked correctly.
"As for Internet Explorer at home: simply download the IE 5 Power Tweaks from Microsoft and install them."
Excuse my ignorance, but is IE Power Tweaks the same as TweakUI?