Worms & Firewalls

I work with many small businesses with dedicated internet, some through frame relay lines. I know that their routers are set up to use NAT, and I thought this would keep worms out, but it hasn’t, and worms have become a serious problem because mostof the workstations need File/Printer Sharing enabled.

First question: Why isn’t NAT sufficient to keep out worms?
Second question: Symantec has published info stating that password protecting hard drives of the workstations would keep out the worms that look for network shares. Is this sufficient?
Third question (and the biggest): How do you keep worms off the servers?? I can’t password protect every share. What do I do, especially that won’t break the bank of small businesses?