Just to offer my two cents, as an infosec guy, I'd strongly recommend upgrading to Windows 7 on any machines we can ASAP. Windows XP is trivial to exploit (plenty of free tools out there), and the fact that members who have access to the MLS computers can download and install any software from anywhere on the Internet means that keyloggers, screenscrapers, RATs and trojans have free reign on our machines (not to mention how incredibly easy it is to move laterally to infect other machines due to common password usage).
Having nicely written policies is good, but until we enforce policy by finally locking down user accounts so that third-party software cannot be installed, we're making it far too easy for sensitive member PII to be stolen.
Furthermore, 64-bit Windows 7 at least has PatchGuard built in, which is better than nothing, and miles ahead of XP from a security standpoint. More importantly, I regularly encounter drive-by-downloads from known trusted sites that are infected (think nbc.com on Feb 21st of this year), and it's been proven that Sophos (and A/V in general) simply doesn't catch it all.
We need much better endpoint security on our ward and branch computers, and getting off of Windows XP is the very first step. I shudder whenever I have to type in my MLS password because I just don't have much confidence that these machines are free of keyloggers since we're still using Windows XP and there are no controls in place to actually enforce policy.