I haven't set up a honey pot yet, but,
In our company we have everything locked down: Internet access, attachments(are dumped on the server, and if they are needed user asks for them), everything. For the people that do need internet access we lock it down to only the sites they need and pretty much it, they have to come down and request a site to be unblocked. Also we have the ISP filter almost everything before it even reaches our gateway.
We also did away with DHCP and went static IP, yea, it's old school and a pain but when it's up and running properly it doesn't need to be touched.