We will allways set up a hardened firwall on the perimiter with UTM for Spam/Virus/Phishing built in.

This will forward through a DMZ subnet to an external Network Card on Server and ISA will forward to an internal Card.
No direct routing between cards.

The Firewall will not be plugged to the same switch as the internal LAN as this allows a back door arround ISA (layer 2).
We see a lot of "IT Experts" doing this.

We run Anti Virus on Desktops/Server/SMTP.
Also SUS for ensuring updates and saving bandwidth.
Anti spyware on all Desktops.

We work too "you can never have to much protection for YOUR CUSTOMERS NETWORK".

PS;Do not sell SBS Standard as at some point you will need to manipulate a VPN product through the firewall and you will not have the customisation available in ISA.