The gold standard approach would be to put all of your PCs on a Windows domain and run WSUS to control the distribution of Windows updates along with Windows Defender definitions.
If you're not ready to go that far with it, Symantec Endpoint Protection has been good to me in the past.
Keep in mind that a virus is most likely going to spread to unpatched machines on your network, so Windows Update is going to be the more important thing imo.
Another common way to air gap your system from integrators is to provide them with a terminal server to RDP into for programming. You'd install whatever client software you need on this machine, and would use a firewall to make sure it is properly segregated from your control network.
I think you are confusing product names.
Symantec Endpoint Protection is anti-malware.
Symantec Client Management Suite is enterprise-scale OS management, software deployment, patching... closer to SCCM.
Symantec Ghost Solution Suite, formerly known as Altiris Deployment Solution, is an OS deployment and task server. I think this is what you mean.
data loss prevention. I mean I don't think I would have resources detailing how they are built, as one would assume most companies keep these things private, as it's the product they are selling. But if you go to the website of any vendor you'll likely see an overview of what the product does.
https://www.symantec.com/products/endpoint-protection
This should provide a more general overview.