How Do I Secure A Web Browser?

Browsers indeed are the primary entrance method of malware intrusions.
VPN’s, although the best current ’secure’ communication encryption method, does NOT preclude the risk of malware reception: it only assures private communication. The 2 are distinctly separate concepts.
Default configurations are ‘geared’ to allow websites (and by default, 3rd party assets) to perform all manner of glitzy functions like graphics and interactivity, but it’s this very ‘flexibility’ that the bad guys leverage to install malware…from fairly harmless tracking cookies to the most virulent rubbish imaginable.
Your fundamental strategy should be intrusion PREVENTION: achieved with a layered defense, and stop ‘automatic browser action’ until you approve it.
A minor pain in the adz when compared to re-formatting & data loss or compromised banking & credit card info.
Stop using Internet Explorer!
[Because of overwhelming, persistent hacks, IBM no longer will use IE in it's corporate environment; moving to Firefox...that should tell you something. July, 2010]
You can’t rely on an “anti-anything” if you use Internet Explorer, or a ’stock’ Firefox browser.
Firefox, beefed up with ‘NoScript’ and my other official Firefox Collection items, stops acres malware seen here in Y! Answers:https://addons.mozilla.org/en-US/firefox…
Turn off 3rd party assets:
Tools> Options> Privacy> top drop menu set to “Firefox will use custom settings…”> Check ‘Accept Cookies from sites’
►& Un-Check ‘Accept 3rd Party cookies’
All Microsoft installed rubbish (hacks) MUST be disabled!
Look in Tools> Add on’s> Extensions & Plug-in’s. (NET framework, Windows Presentation Foundation, Shockwave, Silverlight, Java stuff, or other active scripting rubbish).
Note that deliberate use of ‘dark side’ sites, porn, peer-2-peer, pirated music, movies, software, etc. will ultimately defeat ANY security barriers.
Use a “Limited User” account and “Sandboxie”: http://www.sandboxie.com/
for even better protection.
Core defense applications might include (but not limited to):
Avast! (anti-virus); http://www.avast.com/free-antivirus-down…
or Avira.
“MalwareBytes” works for rubbish already plaguing you.
Always incorporate a stout firewall: Some freeware is here: http://www.snapfiles.com/Freeware/securi…
Look them over and match your needs to skill level.
SpywareBlaster (snoopware prevention and hostfile guardian); http://www.javacoolsoftware.com/spywareb…
If you don’t have time or skill for all this (plus ‘updating’), have a look @ “Secunia”: checks all your 3rd party & OS version for updates.
Freeware.http://secunia.com/vulnerability_scannin…
“New” browser versions normally would be to bolster security, and should be allowed.
Networks, as you hint you have, require Network policy backed up with rigid LAN permissions & denials built into the LAN: unmodifiable by users, to prevent ‘work arounds’ and defeating security measures.
For these LAN’s, a ‘gateway’ would be the best approach.
“Astaro” is one example, but there are others.
Google for alternates & info.