You have mentioned you do a good job with Microsoft patches and that you recently updated Flash and Shockwave, but have you checked what versions of Adobe Reader and Adobe Acrobat are in your environment? We have seen a lot of malicious PDF files which are not getting detected by McAfee on a consistent bases and the only way we were able to reduce the number of infections was by updating our 3rd part software more frequently, and remove administrator rights from users that do not need it.
I wish we could remove Administrator rights but that is not possible at this time (we'll be looking at it again with Windows 7). I know that they did send out an update for Acrobat but I'll have to confirm that it was the latest version and that older vulnerable versions were removed.
Thanks for taking the time to reply.
Disappointed to hear that your users retain admin rights. If you use XP pro, have you considered making your users Power Users instead of admins? Still gives them the ability to install print drivers, but keeps them from having full blown admin rights (although we had to concede adding read/write permissions for Power Users on Program Files).
Regardless, the bad guys use a lot of methods to get in to your machines. In lieu of taking away internet access (wouldn't that make it a lot safer?), you could consider a gateway device on your internet access. Also, Adobe Reader is often exploited by using obfuscated (hidden) java or java script code within the document...I think Reader has an option to disable java in pdf documents.
I see a lot of infections initially downloaded in the temp cache in the user's profile, often with a .tmp extension. Hopefully you don't have .tmp as a file type extension exclusion. Good Luck.