I reckon that depends on where your biggest threat lives.
I would start by hardening the wireless piece by not allowing wireless access to the router and changing the admin password quarterly. It should be a complex password as well.Once you get a complex password in your head you can make minor changes that will make sense to you and still keep it changing.
Turning off the SSID broadcast can make life harder for war drivers with a single mouse click. MAC Address filtering is another way to keep unwanted machines off your network.
Blocking certain internet sites and virus scanning emails is fairly simple to implement with your firewall. It’s better to lock it down tight and let your users request access to sites than to leave it too lax.
Be sure to timeout VPN access if the connection has been idle for x minutes. I’d put it at 20 minutes which, depending on the work your users are doing, may be too generous.
Where I’m at now the use of usb drives has been turned off via policy and a bios setting. It’s a pita but there’s not much chance of a virus creeping in. Very few users have local admin permissions on their machines so adding software is tightly controlled.
The more critical it is for your machines and your data to be available the tighter the controls that need to be in place. Having a 100K executive sitting idly for half a day or more while his laptop gets cleaned amkes the extra steps up front well worth the effort.
If you want to let public “guests” connect to the internet through your wireless system while protecting your LAN, you can do so by:
1) set up VLANs – one for the wireless guests and another for your internal use,
2) if your AP supports it, you might be able to use “wireless isolation” – where associated devices cannot see anything BUT the internet (Some AP’s can do that per VLAN)
3) if needed, set up some ACLS / Firewall rules blocking the guest VLAN from your internal network…