so set up a HW firewall to block all ports, including 80, right? That’s the only way that a HW firewall will protect from viruses, but then you render the internet useless…
edit: the use of host based firewalls can be debated, the use, or lack thereof in your case, is not debateable. I guarantee that all of your machines are owned and you are not helping the botnet or spam problems.