Hello Jason,
last question first, the virus scanners, no matter if you use McAfee or Sophos, basically do know about all common filetypes today, so unlike a file is password protected, any virus or trojan will be found. Even if the sender renamed the extension to something "harmless", as the scanners do not care about file name and extensions. So to answer your first question, it's all about the policies you have in your organisation, and thus there are no best practices around. I.e. most companies do not allow executables at all, or multimedia files as they are most likely not business related. So that's why apart from blocking extensions you also have the possibilities to block filetypes or groups of filetypes - the advantage of blocking a filetype instead an extension is that the filter looks for the actual type, no matter what the file name + extension says. That would be the only suggestion I'd give, looking at your list of extensions I'd say it's pretty much covered by the filtypes "executables" and "media", except for the URL and VB script, where an additional condition looking for the extension would make sense.
Hope that helps,
Regards, Andreas