Monitoring for virus coming from the Internet would really help in preventing infections, at least on the entry-point where a client accesses a malicious website.
My first step would be to get the reports from the SAV or SEP reporter. The file would contain information on the infection particularly the path where the infection was detected.
Internet files would be stored in C:\Documents and Settings\username\Local Settings\Temporary Internet Files
Take note of the computer name, the username, and the time of infection.
I'm using Internet Explorer History Viewer and checking the remote PCs visited sites (assuming that the user hasn't yet deleted the history) and cross checking the sites visited at the time of infection.
The application shows the history in html table format so it's easy to see the sites visited.
I also use Norton Safe Web to get additional details on the website that was visited. https://safeweb.norton.com
Based on that analysis, I can block specific websites to prevent users from accessing them ever again. This also includes pop-ups addresses.