3 main problems currently. Spam coming in through the email, spyware filling up PCs with crap, and 'spivs' who plug insecure PCs into the network.

1) For spam we use 'Ironmail' from Cyphertrust. We're getting ~84% spam, but the 'Threat Response Update' which are to spam, what updating antivirus definitions are for AV apps. Ironmail is stopping all but a few spam to each account daily. Problem is, there's a lot to configure: it takes a great deal of tweaking to ensure 20,000 accounts get their email but not their spam.

2) Spyware is mostly a problem in classrooms on shared PCs which have scores or hundreds of different people logging into them each week. We've now deployed 'Deepfreeze' which discards any changes made to the hard drive, every time the user logs out. Sweeet. We've had to introduce a one hour update window starting at 3.30am to allow AV DATs and the OS to accept updates. It's a reasonable compromise.

3) The fix for the Spivs is a) education and b) automatic network port checking by Cisco. Firstly we're writing web documents explaining how to connect securely and keep updated. Secondly, we're upgrading the core network to allow us to deploy a Cisco product that will check PCs that plug into network ports. If they're not up to the latest patch level, they can only get through to a 'sandbox' where they are informed of the fact and given an opportunity to patch their PC.

The core upgrade is expensive and will take some time. Also, the Network Manager is repeatedly making unilateral security decisions and pissing everyone off. One hopes he can be pursuaded to be more civil RSN.

Current problem: Gaobot worm. It's out there on our network somewhere, probably brought in on a laptop like Nachia was last time.
Nowadays we have to update the Operating System patches and Antivirus Definitions offline before plugging into the network, or Gaobot disables McAfee ViruScan and you have to reimage the PC from scratch.
McAfee says it can clear this worm off if you enable scanning of compressed files, but in practise it doesn't seem to be able to. I eben tried slaving an infected HDD off a clean HDD and scanning from the uninfected OS. Still no dice.
If anyone out there knows how to kill Gaobot on an infected PC, I'd be interested to hear about it.

Our site has had many dozens of Fujitsu hard drives break down. It appears they run WinNT OK, but Win2000 makes them break in 12-15 months. The problem is well known, and is to do with the HDD BIOS which is on a chip on the backboard on the HDD itself. In theory, you can revive a dud HDD by swapping the backboard though I have no examples of this having been done.
This has been one of the most time consuming problems on my site during the last couple of years.