This question is probably more up Wendell or Qain's alley (they've worked in corners of IT closer to mine), but I'd like to hear anyone's thoughts.
I work for a small managed IT firm and we offer centrally managed antivirus. It works well enough, but users still manage to infect their PCs. Obviously, no antivirus program can make up for users that have disabled or out-of-date Common Sense 2015. To help address that, I've been considering installing Adblock Plus in the browsers we pre-install in system images for new workstations. This would plug a major vector for malware; especially the "Speed up your PC!" or "Viruses detected!" variety.
Have you tried this? Are there any hidden downsides? I figure that even if users don't like it (some people /shudder/ actually like ads), we can always tell them "It's a work PC so tough shit, deal with it."
Does installing any software require admin privileges? If not have you considered that?
If this crap comes from employees surfing the web then you could put a good host file on the machines. You could also add safer sites that people are wasting time with like facebook to really fuck with people. This solution should also save network traffic so legitimate stuff runs faster.
If all else fails add a hosts file to the firewall to block ads from there, it may not be as pretty a solution as Adblock and has it's own faults of being something you'd manually have to keep updated but it's a start.
If you manage a network, a better solution could be to move it away from the clients completely. I would recommend you look at using DNS filtering to block sites instead. Not only can you manage it from only one place instead of every client having its own lists, but you can force the use of one DNS server (if you don't already) and they cannot just disable the plugin to bypass it. It is also not only blocking in the browser but system-wide. I use some of the same lists as adblockers but in DNS. It works great.
With that said, you really should look at uBlock instead if you want to use a plugin. It is a lot more efficient, both in speed and especially in memory usage:
https://github.com/gorhill/uBlock
EDIT :
Okay, I thought I would ad a few links. So here are two quick links on how to setup DNS filtering with adblock lists and a site where you can get the adblock lists auto converted to DNS:
In a couple enterprise scenarios and in my own home, I've used dnsmasq and hosts on those networks to block ads via DNS. This is actually the same concept that AdBlock uses, however this requires no extra installation on each machine since it's on the network level.
In my specific scenarios, I've got the servers setup to auto-update weekly from several reputable hosts files that AdBlock itself uses.