Only one network administrator
Eight characters long login passwords
Disable/uninstall all unnecessary services (IIS first)
Remove all Windows9x systems from the network
Disable cookies, activeX and component downloading from the internet
Disable scripting on email programs
Use a firewall and antivirus
Possibly rely on a router or NAT
Implement IPSec (if got all MSWindows machines)
Disable Remote Desktop/Terminal Services
Use appropriate share and file permission
Use screensaver protection
..that would be enough for protection from the outside and a little from the inside.
If you can set up a Domain with Hisec default policy, but that another story... little more complex than a lan.
I'll keep thinking in case I forgot anything important.