Enterprise sized companies...
We have around 5000 - 6000 PCs in my organisation...
They are all locked down tighter than BillG's fashionsense...
Some of us DO have admin privileges, but then we need to log in with a special account, or preferably use 'Run as...'
If software or drivers is shown to require 'write privileges' to the Program files folder, special parts of the registry, or God forbid, the Windows System folders during normal running, we PACK THE CRAP UP AND RETURN IT.
It's not FIT FOR PURPOSE, or even fit for the 'designed for WinBlows' logo someone accidentally slapped on the box...
Remember Blaster? That fun-loving little program?
It infected 3(yes 3) of our computers. Two of them were laptops which got the infection while on unsecure home networks, the third was infected by one of the first two.
The firewall is administered with a simple rule, 'if it isn't needed, it's closed'. (actually, there are multiple firewalls and 'zones' )
Anti-virus...
No user can disable the real-time scanner on his PC.
Email is scanned by a product from another supplier, and of course, dangerous file-types are deleted automatically.
Websurfing goes through a proxy(http-traffic is only allowed through that proxy.) which scans everything, in realtime, for virii and other nastyness.
Our ISP monitors traffic and alerts us if suspicious traffic is spotted.
PCs are set up with password-protected screensavers.
(Not a popular decision, but it was mandated from the top)