I had two sites i used to administer that were constantly getting infected with something. They hired kids to work the night shift and they would get bored and surf anywhere you could imagine.
At one site, instituting a computer use policy, proxy, and a blacklist like dan's guardian along with fetching the mail to an internal server and scanning before delivery was enough to curb it to 1 minor infection in 5 years. At the other site, this didn't even come close. We had to completely lock down the internet and approve specific sites and domains as needed. This has yielded no infections in the four or five years i remained with them.
Both sites have or had a public wifi and separate linux systems for guest access on a separate subnet the employees could use (when guests weren't ) but for some reason they insisted on using company workstations.
I stopped working with them about two years ago. I dunno what they have now but i saw one of the companies is being sued for a data breach with credit card numbers.