For starters, be very specific about the type of traffic you want to allow. Have a default deny rule then allow ports like 80, 443, 993, 587, 143, 110, 995, 465, 25 (I personally would rather not open this, but you probably will get a ton of complaints if you don’t). Also permit UDP connections to port 53 on OpenDNS’ servers.
This will give you a great start. It’ll kill most of the bandwidth hogging protocols. It’ll also block a lot of VPN connections (not ssl vpns though) which should help prevent people from bypassing your security.
If you have a firewall capable of blocking filetypes, you should probably also block exe, bin, com, bat, avi, mpeg, mp3, mpg, zip, bz2, gz, tgz, dll, rar, tar and probably a bunch of others I’m leaving out.
Other than that, your current restrictions are probably decent enough. You can add updates to the list. Personally, I wouldn’t block A/V updates. If you really want to, you can block their entire domains (*.symantec.com, *.mcafee.com, *.trendmicro.com, etc). Microsoft update URLs are available at http://technet.microsoft.com/en-us/library/bb693717.aspx