Most spyware gets onto users computers by simply viewing webpages and using security flaws in internet explorer installs on the users system or it's bundled with free software they download or get free on a magazine. I don't think you can fully block spyware at all with the router unless you block all websites know to contain spyware which would be a mamouth task! You just need to ensure your users are up to speed on winxp updates and all have antivirus and spyware scanners installed.
You can get a list of known ad serving hosts/ip addresses and change their domain name resolution locally. Thats what I do. Of course, you will want to be careful not to block any that could cause issues with major search engines (overture?)
you can use a connection limit if the spyware is too aggressive for the router. Then at least internet performance won't suffer and the users will have to be responsable for their pc's rather than you having to block them.
well some isp's set a limit on TCP connections. If spyware and virus traffic is opening many connections to do whatever damage it does to whatever server. this can cause loss of internet access to other users when the limit is reached. You can specify a limit to each user and it will help to stop this problem. see the manal on firewall filters for more info.
I would have a link for you but the Mikrotik Documentattion links seem to be down right now so you will have to search yourself.
exactly. it is a good thing to set limit connection to a certain level. we limit to 250 the tcp connection per user.
this is the instruction:
add src-address=126.96.36.199/24 protocol=tcp action=drop \
connection-limit=250 comment="" disabled=no
this helps a lot when a customer has a virus. we have all customers on pppoe, so to generate traffic to other users thay have to pass thrugh the access concentrator. There then some rules to be put in place to block or shape/limit user to user connections. this depends on your needs.