The golden rule is that security is only as strong as the weakest link in your company - end users who invite malicious code by clicking on dubious links on the internet - for example,clicking ok to install xyz screensaver,free software to get music/porn.
Your IT personel should educate and sensitise end users to act responsibly on the internet.I hardly doubt there is a security software which will give you 100% protection against malware if your employees consistently click OK on everything on the internet without thinking about consequences.
You could also consider using Application and Device control policies to prevent creation of exe files in C:\Documents and Settings\%USER NAME% \Local Settings\ and c:\windows\temp
Document yourself on
http://www.symantec.com/avcenter/security/ADC/Configuring_Application_Control_1.1.pdf
Also,note that enabling IPS and NTP should help protect against network borne threats/exploits including FAKE AV's.
Ideally,I would suggest you apply Application and device control policies and IPS/NTP on a few workstations for testing purposes to guard against issues.
You should understand that finding the best possible configuration will take time and result in possible issues ranging in severity in the beginning.But in the long run,it's you who will derive maximum benefit.