corporate firewalls can stop people from getting out to the internet, which is the only way to stop a majority of infections. but if it's an educational institution, blocking the internet would be considered facist. i work at a university and the rules are different from the corporate world. the firewalls you're thinking about won't block anything that is within the network if it originates from a computer that is used off site or from a disc of some sort. there are a myriad of ways to localize a problem to one system but, nothing short of cutting the connection is 100% effective.
Well here we go again. Several of my clients are educational institutes. You don't need to block the internet to stop virus's getting into the network via the internet. You just need a decent firewall and not some noob that believes iptables with snort 'configured right' will do the job. And you don't need to be a fascist either.
And if you have had an issue with mcafee I'd guarantee it was operator error. I've seen mcafee clean up networks in a very short time that were running MS Forefront or CA eTrust that were rampant with infections. Centralised management is not the only thing I like about McAfee - the behavioral aspects are what makes the difference. Signature based % tests are meh. A properly tuned AV solution kills most threat vectors effectively. Artemis also added a lot to the product.
As for my experience that's was just 8 years in security. ie After 17 years in doing a lot of work with PC's (from CPM, MS-DOS 2.11, OS/2 Warp, Amiga Workbench, Windows 3, and so on, not counting my non-commercial teen years experience either) I focused more on security.
Maybe I'm throwing my 'virtual testies' out there, but all I'm offering is the persons advice "who does security for living" vs the home-school option.
Pembquist I'm running kaspersky at home on some of my network (we got given a 10 node test license). I like it too.
