don't get a software firewall. Get a decent hardware one (smaller watchgaurd boxes, sonicwall, etc - NOT netgear or linksys!)
Set it to block EVERYTHING except the things you need (outgoing especially, not just incoming)
If the users don't know too much about computers they should not be loading any new software on an internet attached PC anyway, so changes to the config should not be an issue.