Protecting Windows Machines From Users

It's really pretty simple: Don't give the users "Administrator" rights and you're 95% of the way to keeping clean, happy machines.

Don't give them "Power Users" under Windows XP or earlier, either, because that's effectively the same as "Administrator" (it's very, very easy to get to "Administator" from "Power Users").

Not having "Administrator" rights will be no problem for Microsoft Office. It shouldn't be a problem for any application with a "Designed for Windows XP" or newer logo placard (as running as a limited user is part of the logo requirements). It's going to be incumbent upon you to make sure that other applications function properly, but the trade-off in your time making sure the app works versus cleaning up junked-up PCs later is worth it. There are tools that can help you, too. A great one is Aaron Margosis "LUA Buglight" (see http://nonadmin.editme.com/LUABuglight).

If you find that you need to apply security permission changes to get some programs to work, look at using the file system security settings of group policy to do your dirty-work (assuming you're on an AD domain). Then, at least, you can learn which permissions need to be set once and have group policy consistently re-apply them for you on new computers.

If you're not doing it already, get the user data off the PCs and onto a server computer. Look at using "Folder Redirection" and roaming user profiles to help you with this (assuming, again, you're on an AD domain). Ideally, PCs should be stateless enough that a user can get up, logon to another PC, and have all their data files available. (Application software being available is another story, but there's a "story" for that with software installation policy, too.) I won't go into a big link-fest with these items here, just to keep this answer somewhat on-topic.

If you really want to stop unwanted third-party software, combined with keeping "Administator" rights away from users you might consider using "Software Restriction Policies" (see http://technet.microsoft.com/en-us/library/bb457006.aspx and http://technet.microsoft.com/en-us/library/cc782792(WS.10).aspx). With software restriction policies in place, a non-administrator user can't execute code outside of the allowed paths (or based on digital signature). Things like Google Chrome, which install in a per-user location (and malicious software of that ilk) won't even function. It's a great feature, and arguably one of the most under-utilized.

You might also consider redirecting their My Documents and other folders to network locations so you don't have to mess with your partitioning scheme and can simply Steadystate the entire disk.

http://technet.microsoft.com/en-us/library/cc977970.aspx

Also consider use of products like Bluecoat proxy servers to protect your Internet traffic from malicious sites. The proxy can not only can for signatures using AV protection at the web gateway but you can also block sites using websense style category filtering to block access to known malware sites.

Best way to protect machines against staff is stringent permission lockdowns and making sure you're not dolling out administrative rights like candy. If they need to do something with NEAR admin rights assign them to power users group. Make sure your antivirus solution is up to date and running as well.

Make sure that your virus scanner is configured to scan any removable devices plugged into computers. I've had a vendor give us an SD card with Conficker on it because they apparently have poor antivirus policies at their organization. Surprisingly, this was from THE LARGEST company we do business with, a company with well over $100 billion in revenue and 300,000 employees.