We came across the same scenario, in a 7 site 2000+ workstation environment there were about 50 misbehaving PCs that would repeatedly try and pull almost 800MB a day from the parent bypassing the local GUPs, 90% of teh workstations were properly operating.
We found an old reference to GUPs and differening subnets, the Symantec tech I talked to insisted that the subnets were not an issue, but we kept seeing results that disproved it as an issue, and our answer was local LU servers in the sites, this resolved it 100%.
We found that some were corrupt defs, some had full C: drives and unable to decompress the defs, and then others were just a mystery.
I know it's not the approved method, but it worked for us.