Check out a product from Vistawiz (www.vistawiz.com). I think it could provide a lot of assistance in addressing your problem. We are currently using it for firewall, Intrusion detection, VPN, anti-spam, network anti-virus, content, and privacy, but you don’t need to implement all of them. It seems to work great and you get to talk with a human if you have issues. Basically, it’s an integrated network security device that sits on the edge of your network. The main thing is that it is a managed service. One of the services they offer would allow you to identify and isolate infected PC’s before it screws up your entire network. Because the device is relatively cheap, you could deploy them in several locations throught your network. Pricing appears to be very reasonable, plus you can deploy additional services without having to buy another piece of hardware.
That said, I don’t think it will handle restricting new unknown connections unless you decided to require/implement a VPN connection.
If you try it, let me know how it goes.