I think GUP would be a good solution also. GUPs will only distribute content updates (virus defs, ips defs, ptp defs) and will not distribute client updates. Also, if you use RU5 or later you can create GUP failover so that if a GUP is down (turned off or whatever), the group will update from the backup GUP.
Any client can be a GUP even XP machines, but like Vikram says a server OS would be the way to go because of the connection limit. XP has a limit of 10 connections, while a server OS has umlimited.
We use the GUP setup here, and it has helped curb our bandwidth use tenfold. Our setup is like this - the SEPM sits in our data center, and we have three locations. I setup the DCs in each location as GUPs (win2k3 boxes). The SEPM updates only the three DCs, and from there the GUPs update the machines in their group. So, if you break your groups down to subnets, bandwidth will be saved.
In a future release GUPs will be able to push client updates as well. That would be so cool.
The clients will still connect to your SEPM and get policy updates, but that's no big deal. Hope that helps.
This may help as well:
https://www-secure.symantec.com/connect/articles/tips-installing-sep-low-bandwidth-environment
Mike