We could implement stateful inspection technologies such as Cisco Security Agent, which examines desktops for patches and antivirus software, based on central policies, before granting them an IP address on the network.

We could require registration of all Ethernet card MAC addresses before allowing wired or wireless connections to the network. (MAC addresses can be spoofed, so this is of only limited effectiveness.)

We could require an SSL VPN for all remote access, enabling us to have a single point of control and filtering for all Internet-based applications.

About the only way to defeat many attacks would be a throwback to 1970s serial terminals and mainframes -- unmodifiable thin-client devices connected to a Citrix application server. Each byte flowing would be centrally controlled, and the desktop would be locked down.

With all these measures, we might end up with a system so secure that no one could use it. The most secure library in the world is the one that never allows books to be checked out.