Hi
You might like to look at some of the tools from GFI Software (think that's the name). They have a thing called Lan Security Analyser. You give it an IP address and it scans that machine. Comes up with all sorts of stuff, including missing patches, unnecessary shares, general security stuff.
One other thing that they might find useful: install a SUS server (Software Update Services) from Microsoft. It's free and makes the installation of approved updates to Windows a complete no-brainer. Also means that the patch only gets downloaded once then locally distributed = savings on web bills if billed on traffic.
I didn't notice, but what mode is their ISA Server running in?
Regards
Simon