I too, work in IT, and support over 3000 users in at least 3 states. Thankfully, we use proxy rules and a firewall to limit/track where people go on the internet, and all incoming email goes through Postini, Trend for Exchange, then another well known brand AV software at the desktops. At home, I use Avast even though the other software is free, and would choose Avast for work if I were the one making the decisions. But those decisions are made at the corporate level, and our division is just a small piece of the pie (a division of a very large multinational aerospace holding company). Oh well. My Job includes being the 'Virus Focal', and I've used a lot of different products, and spend a lot of time remotely repairing the AV software we use on peoples desktops.
If you want to control where people go- If I am 'hearing you' correctly, you could implement that in the users hosts file. Any 'bad' domains/IP's should point to 127.0.0.1, and since the hosts file is parsed before the computer runs to DNS, that would stop all kinds of junk. My personal hosts file reads like a book. You could revoke all permissions to the hosts file to all but one administrator account so the end users cant fiddle with it even if they knew the domain was being blocked from there. (The end users should not have local admin accounts, but that is another issue.)
Most the problems I have seen from the websites our people can get to are malicious scripts downloaded to CONTENT.IE5. At the very least, the file should be prevented from executing even if it is not prevented from being downloaded or is not deleted.