I volunteer as the network admin at my kids Catholic school (nights & weekends). They have 50+ PC's and the battle against this stuff is staggering.
The so-called "drive-by downloads" are what causes a lot of it, but also trojans inside screensavers and wallpaper downloads. I'm about ready to ban those and lock down the desktops.
We have several walls up against it - a proxy server, firewall in a DSL router, web filtering software, Norton AntiVirus Corporate Edition, Ad-aware, NO Outlook Express (web mail only). But it still gets through.
That's what I do too, for two reasons. First, I figure I'm maximizing my chances of getting the most up-to-date definition files and have a better chance to catch any newly written malware. Also, what's the best program to plant spyware -- obviously a spyware detection program! So running two programs is a double check on the honesty of both.
If they can install software, you will constantly battle this problem.
Take all privileges (to install software, change settings, etc.) from the default user.