heres 2 right off the bat.
Here's a tip , NW Eng trust that shall remain nameless - Dont make the Smoothwall content management filtering system OPTIONAL!
I'm no network expert, but I'm sure there are ways of directing traffic through the smoothwall that dont rely on the user not unticking a box in their browser!
Here's another - block executable downloads. I'm struggling to think of any reason any user would need to download a .exe / cmd / ps / vbs.
'course you cant do (2) till you've done (1).