perhaps this is an area of risk that linux can help out with

Can't help thinking that this might be the stick that might consider some sysadmins to break the Windows deployment camel's back. Damage due to virus activity (which now has to include problems caused by antivirus activity) has to be added to a Windows deployment TCO and weighed against the Linux TCO.

Not running antivirus on servers means that you can guarantee that not only cannot malicious payloads be moved to these servers, but also that malicious activity cannot originate on these servers. The enhanced security modes on IE can reduce the risk of the latter, however the former is still a problem. How do you audit against these things? Is there an accepted diligence process?

I wouldn't be surprised if a significant proportion of malware activity happens as a result of (if not deliberately caused by) a user with administrative privileges. Back in the days of NT4, I was handed domain user control of a sizeable industrial network as a young pimply eighteen year old to do some admin tasks. I turned auditing on my user in order to cover my own arse if things went poop :)