p0et,

Anti-virus
seems to be best in groups, problem is the impact on a network.  Truth is some av companies will "out scoop" the others on some viruses, and other times there defs. will be the last to get updated.  AV is a crapshoot, Symantec seems to have the best reputation, (or at least the biggest market share) but Trend Micro, Sophos, etc. seem to hold their own. Overall I would recommend two virus scanners (from two different companies) for mail servers and one for the enterprise as a whole.  As long as you have it constantly looking for updates thats all you can really do.

Anti-spam

(this is not a commercial and I do not get compensated) you can't get much better than a barracuda spam filter.  I was skeptical at first (and loathed the commercials they play incessantly) but the truth is, it works. 

It allows you as the admin. to set rules and tweak existing heuristics, which stop the spam, before it enters your network.  A common issue with spam filtering is false positives and the loss of critical good email.  This is not an issue with barracuda though, since it sends an email daily to each user letting them know what was blocked.  If there is a good message trapped by the filter, the user simply needs to click whitelist, and the email is delivered.

I love getting my hands dirty and making things work without a fancy gui, but spam is not my passion, and if I can stop spam from becoming someone's full time job (monitoring and retrieving messages) then I couldn't be any happier.

IDS/IPS
I'm sure someone can recommend a good hands on course (believe sourcefire has courses throughout the country)  that will give you the knowledge you need to understand how IDS works, or in the very least give you enough information to get you through an interview.  Hope this helps. Good luck!

I'd give my vote to Sophos, very simple to set up and the enterprise manager is very intuitive. I'd back RichM with the different product on your gateway, belt and braces might not be stylish but stop your pants from falling down, there are even single products that use multiple scanning engines out there.

There are several routes when it comes to web filtering, black/white lists, content scanning, clever AI that combines a bit of everything. If you're looking at playing at home and not having to shell out five or six figure sums then have a look at dans guardian and/or squid guard. We've just implemented netsweeper here for a hugh amount of users and it seems to be a lot more robust than Symantec IGear (now depreciated) that it replaced. Damn-sight quicker too.

Again if you're just labbing stuff up at home, then you can't go wrong with snort, binaries available for most OSs (if you're using OS X it's called henwen) and huge amounts of tutorials online and books out there.

A high level enterprise anti-virus that actually checks behavior rather than just a signature is ideal. Problem is, that can have a performance impact sometimes.  Most anti-virus is signature based and is easily fooled by a skilled hacker.  But you still should use it because it can catch most things that have not been encrypted and have been exposed to the internet for 24 hours. Some companies claim they have signatures available within 4 hours of exposure now, but I wonder about that.   Actually, for most plain old home users I recommend the free AVG.  I have done a number of tests and have been surprised how it has caught things that some of the pay programs have missed.  Also, this is a fun site to test with because it uses a number of ant-virus engines to run tests:

http://www.virustotal.com/en/indexf.html

As far as an IDS, snort still is the one to use.  It takes a little more hands on, but I know of more than just one fairly skilled Admin that have been protecting several critical financial institutions very successfully with it.

I think ClamAV does okay for free AV.  I've run ClamAV on my qmail servers and on workstations before and don't know if it was luck or good administration, but was virus free for several years before I left that company.  I still follow up with that company and understand that they're still standing strong on that front.

For IDS/IPS.  I like snort with guardian.pl monitoring it.  Astaro does okay with theirs also.