This may sound a little draconian to some, but I work for a major broker dealer and given the risks of some of the data getting out (we have ssn#s and people's info easily available to many employees), I don't understand why more enterprises don't utilize thin clients in a greater way. Thin clients that have very limited desktop hardware are completely adequate for most users and you should be able to eliminate the usb ports, disk drives, etc that pose the biggest risk.

I know it would not make sense for all employees because some employees would need a full workstation for various reasons, but for a lot of employees it would and that would at least reduce the attack surface greatly.