Windows without viruses and spyware? Yes, it's possible

How do you protect Dad, Grandma, or Little Ricky from viruses and malware? The convention wisdom is to install multiple layers of antivirus and antispyware software and then come back once a month to clean up the mess. That's wrong. Here's my eight-step program for creating a practically bulletproof Windows XP machine.

Walt Mossberg of the Wall Street Journal takes tech questions from readers each week and publishes his answers in Mossberg's Mailbox. In this week's column, he tackles a question I get asked all the time. How do you set up a new computer for a relative who is an enthusiastic Internet user but is naive or technically unsophisticated?

I set my parents up with a new Dell PC, and included antispyware software that I run periodically to clean up the computer. I recently discovered they had more than 200 instances of spyware on the machine. This may be because my 81-year-old father surfs porn sites ALL the time (this isn't a joke). Is there any way to keep his computer bulletproof and safe?

OK, first of all, Dad's probably more typical than you might think. Grandma probably doesn't visit a lot of porn sites, but teenage boys and old men probably do (and so do a lot of guys in between those ages). Walt correctly notes that visiting these "bad" websites is a surefire way to run into the most aggressive pushers of viruses, Trojan horses, and spyware.

Walt's answer is the same one you'll get if you ask most reasonably experienced Windows users: "[Y]our best option is to switch to a type of antispyware program that blocks the installation and operation of spyware and adware programs as it is happening, rather than waiting until they are installed to clear them out."

Sorry, but I completely disagree with this advice. If this is the best you can do, then plan to come back once a month and clean up the mess. On the contrary, I think it's possible to set up a Windows computer for Dad, Grandma, or Little Ricky and make it practically bulletproof. And it shouldn't take more than about 15-20 minutes.

For the sake of these instructions, I assume you're working with a completely clean, trustworthy installation of Windows XP with Service Pack 2, installed fresh from a clean CD or from the recovery CD that came with the computer. I also assume that Dad's broadband connection is protected with an inexpensive hardware router. If you have even the slightest suspicion that there's any malware installed on the computer, then stop right now. Back up any data, reformat, and reinstall Windows. Then follow these step-by-step instructions:

  1. Open Control Panel, go to User Accounts, and create two brand-new user accounts, both in the Administrators group. Let's call them Dutiful Son and Bad Dad. For the Dutiful Son account, assign a strong, randomly generated, impossible-to-guess password. Write it down in a safe place and don't share it with anyone else. For the Bad Dad account, use no password. (Having no password on this account actually makes the computer better able to resist external attacks.) Delete any other user accounts.
  2. Log on as Dutiful Son, visit Windows Update, and get all Critical Updates. Restart the PC, recheck Windows Update, and install any additional updates. Repeat until you see no more available updates.
  3. Configure Automatic Updates to automatically download and install updates.
  4. Log on using the Bad Dad account. Start Internet Explorer and install all mainstream, trustworthy ActiveX controls that Dad is likely to encounter in daily browsing (Flash, Acrobat, Windows Media Player, iTunes, QuickTime, and so on). Then disable the ability to download or install any additional ActiveX controls. (Step-by-step instructions are here, along with a .reg file that you can download to apply the changes automatically.)
  5. Install a good antivirus and antispyware program, download all available updates, and configure it to automatically retrieve updated definitions. This is a final line of defense only. The other changes you make here should render this protection superfluous for attacks that rely on social engineering.
  6. Open Control Panel, double-click System, click the Remote tab, and configure the Bad Dad account to allow Remote Assistance invitations to be sent. If Dad runs into trouble later, this setting will give you a fighting chance at fixing the problem without having to make a house call.
  7. Log off. Log back on to the password-protected Dutiful Son account and change the account type for the Bad Dad account to Limited.
  8. Log off and log back on to the Bad Dad account.

You're done. Now, when Dad goes off looking for naked pictures of girls who are young enough to be his great-granddaughter, he won't be a virus victim waiting to happen. If he uses Internet Explorer, any ActiveX prompt will be completely blocked and he'll be unable to approve its installation no matter how convincing the pitch is. If a website or a virus-infected email offers to download an executable program, he'll be unable to install it. In short, you'll have protected him (and his PC) from himself.

Now go through and install any software that Dad needs. If you think he'll be safer using Firefox, go ahead and install it, making sure to add any necessary plug-ins. If Dad has a favorite piece of software that won't install in a Limited account and instead requires Administrator privileges, find an alternative. Whatever you do, don't give him the password to the Administrator account.