A firewall and antivirus is not even enough to protect people that are not a high priority target. Companies become higher priority target the larger they grow. Companies that do not take steps in locking down their systems will only find themselves compromised sooner.
I'm not IT. But if I was. I would not allow anyone, any freedom outside their terminal responsibilities. People in general can not be trusted to keep your company systems safe.
Windows GPO limitation for Downloads and system access.
Password policies-- Long passwords that expire at "the very least!" every 60 days
A well hardened Firewall we use Juniper for example but any other brand such as Cisco ASA ect should be fine.
Group Assignment-- Segregate your users into groups and set requirements as per users needs.-- Most of the time the less permissions the better!
Probably the most important here is.
User training... Please educate your users I cannot stress how many issues are introduced by an uneducated users. The last thing you want is admin/user credentials being stolen through a phishing attempt.
Remember -- all the policies in the world are PASSIVE and by themselves do absolutely nothing. The active part is the educated user who READS and follows each policy every day.
As the company grows and staff is added to create the I.T.(information technology) department, you need to budget immediately for a Security Czar who will manage ALL security devices, policies and how/who gets access to what. DO NOT SKIP THIS STEP.
Start reading on the subject "Roll based permissions"
Role-based access control (RBAC) refers to the idea of assigning permissions to users based on their role within an organization. It provides fine-grained control and offers a simple, manageable approach to access management that is less prone to error than assigning permissions to users individually.