First step, identify what your company's stance (i.e. Policy) is on Internet access. If you have a small pipe, getting streaming off net is fairly easy, Facebook, a bit harder.
Acceptable use is not for IT to decide, so make sure you have executive support.
For free, quick, simple, extremely basic/easy to thwart filtering, use OpenDNS, register your IP and turn off categories you identify in this first step as undesirable.
Step two, if you've inherited IT, you've inherited the IT budget. Find out what it is and how much the company plans to invest annually in technology. If it's not important to them to identify, your fighting a loosing battle.
Once identified, step three, do a quick risk analysis to determine where your highest business risk is. Typically organizations look at perimeter first, but as you are doing, remember OUTGOING is perimeter...so content filtering is important.
Anti-virus, although largely ineffective at stopping new threats is valuable when identifying compromise. Make sure your using something good and it's updating on your server and clients. Centralize management is really important as well as content filtering as explained above. When an incident happens, you need to be able to determine what happened in order to stop the incident from occuring again.
Without knowing your email configuration (assuming webmail), standardize on a single service for all users. Anti-virus is your only method for combatting this unless you stand up a UTM box (Untangle, Astaro, etc.) or host your own email server and can subscribe to a service like Postini or Websense to scrub/filter your mail for you.
Hope that helps a bit. Like the other response, I would upgrade your two XP clients if possible, firewall if not. The Win2k8 server is not a concern. Just keep it patched. (patching and vulnerability scanning is a whole new topic that should be on your radar after looking at the above topics as well as a ton of other things, but this should help you get started alteast.)
Hope this helps.