Policy  is  the  most important part of any protection. Without thinking
out  a  security policy and without implementing and maintaining it on a
highest level it's impossible to talk about corporate security.

You can find a good guidelines on corporate security policy in

  RFC2196, Site Security Handbook
  ftp://ftp.isi.edu/in-notes/rfc2196.txt

And few NIST publications:

  NIST: Guide for Developing Security Plans for Information Technology
  Systems
  http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF

  NIST: An Introduction to Computer Security: The NIST Handbook,
  http://csrc.nist.gov/publications/nistpubs/800-12/

  NIST: Generally Accepted Principles and Practices for Securing
  Information Technology Systems
  http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf

I  will  just  remind  youn  and ann few new key moments significant for
protection against e-mail attacks:
  
1.  You  SHOULD  have  written  users  instruction  for  using  e-mail.
Instruction  should  contain information on what can and what can't user
expect  to  receive  via  e-mail  and whom he have to contact in case of
unexpected e-mail.
2.  You  SHOULD  have  AUP (Acceptable Usage Policy), the document where
users  are  explained  what  they  can  and  they can't do, what kind of
resources  they  can  access  and  what  kind  of files they can send or
receive via e-mail. All users (including administrators) should sign AUP
and have a printed copy.
3. Have a corporate addressbook. Your policy MUST specify who can add or
edit  addresses  in  corporate address book. You should have a policy to
send   all   confidential  documents  only  to  entries  from  corporate
addressbook.
4. Have a registries for private/confidential/secure documents. For each
registry specify a borders for distribution of this documents, including
possible groups from corporate address book.
5.  Deny  your  system  administrators to use e-mail from administrative
accounts.  Only  accounts  without elevated privileges should be used to
access  e-mail  or Internet (remember, that users from Power Users group
have  very  high  privileges). Normally administrators should work under
non-privileged  account  and  use  administrative  privileges  only  for
administration.  Under Windows 2000 this can easily be achieved by using
"Run As" service.
5.  You  MAY  have a policy to only allow Internet or E-mail access from
guest  accounts  or  from  leased  workstations  without  connection  to
internal network.
6.  Train  and  check  your users. Try to imitate e-mail attacks against
users  and  see  how  they  react.  It will help you to find weak places
before  they  being  exploited. You can also do a classroom training and
internal  certification for your staff. Certification may be required to
access  confidential  documents. You can also make moderate training and
certification  for  users  who  failed  test  during  attack  imitation.
Training policy SHOULD be a part of security policy.
7.  Limit  access to corporate network and confidential information from
mobile  and  home computers. Normally you can't control settings on home
computers  of  your  users.  If  you  allow  them to access confidential
information from home all your security gives nothing to protect against
possible  attack.  You may have a policy to "certify" all computers with
access  to  confidential  information. For example: "all home and mobile
computers  accessing  or  storing  confidential  information  should  be
certified at least once in 2 month by system administrator, all software
installation  should  be  done  under  control of system administrator".
"Certification" procedure should be clearly declared.
8. Remember that executives and managers ARE users. And they most likely
to  be  attacked. It will be very hard to control executives or managers
if  you  have  not signed paper allowing you to do that. That's why it's
important to mention that in security policy, because security policy is
a document signed by executives :)
9.  Make  all software uniform. Don't allow users to use different MUAs,
because  it gives an impact for administration. It's much more easier to
maintain 1000 computers in same configuration than 100 hosts with unique
configuration  for  each  one. Be subscribed to security lists (like ISS
X-Force,  Bugtraq,  Securiteam)  to learn and correct vulnerabilities in
your  software  before  they  become  familiar  to  hackers.  Check  for 
availability  of  updates.  You  MUST  have  a  policy  for implementing
security fixes. This policy should garantee that only tested updates are
installed in production  environment  and all security-related fixes are
installed  in  a  short time. Sometimes it's very hard to find a balance
between these two requirements.