There is a solution to dodgy e-mail attachments.
1. Set up a desktop on AWS or similar.
2. Require all users to access said desktop via VNC (special version, file transfer disabled)
3. Require all users to only access e-mail using webmail of some sort via a browser on the remote desktop, with attachments being viewed via browser plugins.
4. Wipe and re-install remote desktop every hour.
There's probably still some holes in this, but it's more useable than 'ban the interwebs'.