>> In addition we have started investigating the possibility of taking away the administrative rights of our desktop users.<<
Been there, done that many many years ago. Still get hit, occasionally pretty hard.
Won't matter. Today malware puts it's stuff in the user profile area where they have rights even if they have NO account on the computer locally and are only domain users with only "user rights".
Our people have no rights other than to login and use. If they aren't connected to the network they can't even login unless they have been there before and have a profile on that computer.
They can't even install a printer, yet malware CAN and DOES install because it doesn't follow the rules. Geesh, GOOGLE CHROME doesn't even follow the rules - this stuff puts files in the %userprofile%\application data and other folders where users have rights and MUST have rights. Otherwise their outlook won't work, the browser won't work, etc.
Some Malware installs as BHOs (Browser Helper Objects) and other nice things - looking like a requested "modification" instead of a full install, so it gets in.
Full lockdown will be problematic in many places as well - no more changing settings, updating software on the fly like so much of it insists on doing now (some HP software for their all-in-ones won't work properly if locked down too tightly)
True, the application "white list" will be a big help, but be prepared for increased support calls for some organizations.
Say, what ever happened to the HEURISTICS we read so much about in the early 90s ????????????
There was some really good software that didn't rely on fingerprints at all! NO definitions! And it worked............ where did that go?