At several places I've done some work at, I have a suspicion that some of the executives browse porn on their work computers. It appears this porn surfing has lead to virus infections on their computers despite the presence of an anti-virus. Filtering theses specific users' browsing is not an option, so what would be my next best solution be? I put Firefox + Adblock pro on their computers. I'm tempted to add NoScript, but I'm worried they'll start calling when noscript interferes with browsing on legit websites. Is there anything else I can due to mitigate this risk?
SnapOverflow
Use OpenDNS Low filtering and tell them that you are securing the company against malware, phishing, etc. You can put in legitimate exceptions by "Manag[ing] individual domains". They're not going to come to you to except porn sites, now are they? ;-)
Cheers
You say: "It appears this porn surfing has lead to virus infections on their computers despite the presence of an anti-virus.".
I see too many answers focusing on the porn aspect of the issue.
One might land on a porn type "trap site" even when searching for something as innocent as a cookie recipe or pcitures of the latest Corvette model.
Since you are already using an antivirus product, it is probably time to review its usefuleness and replace it.
But above else, you need to be certain what is actually causing the infections other than "..this porn surfing..."
Use IE8 or Chrome, which run at a security level below standard user. Run them as a standard user on Windows XP/Vista, so that they cannot harm their machines.
And on Windows Vista: IE8 and Chome run at a lower integrity level.
Might want to try a sandboxing app like Microsoft's Steady State: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
I'd also recommend a real time malware scanner, such as Windows Defender, on top of whatever anti-virus you're running. Perhaps add in a cloud based malware scanner like Threatfire or Prevx as well.
Filter - but don't block porn. AV and page analysis at the gateway. Block exes. Show them how firefox is the porn fiend's browser-of-choice.
TBH, I would even be careful admitting you know why, never mind vocalising those thoughts... whatever you need to do has to be fair invisible to the user. Good luck!
Back when I first got into IT, I worked in a small mom-and-pop shop where we went to a lot of small offices. We'd work on their personal computers too for the same rate, and whenever there was a frequent porn surfer I'd just burn them a copy of knoppix, show them how to boot to a CD and go.
Edit: Have you tried addressing the fact that they are using work computers to look at porn with your boss? You may not have influence over them but someone up the chain can give them a "cmoonnnnnnn"
Another option possible option, install Hyper-V on their machine and once you have a clean .VHD of their computer setup you can let them go. Especially if they're using networked profiles this would allow them to trash their local machine and for you to restore the original VHD and their network profile will still be the same so you could have them recovered instantly.
Word of advice, I'd be very careful with bringing up the topic of why these computers keep having issues if they're at the executive level. Said to the wrong person you might end up with a pink slip.
Sandboxie can be useful for this purpose. Generally it tries to intercept all disk and is stores them in a sandbox folder. I find it works particularly well when combined with instance of Portable Firefox.
Options I'd look into...
1) inline filtering. I thought I ran across this setup before; basically having HTTP traffic filtered for malware as they're surfing (filter for content of malware, not block the porn...wanted to make that clear). Something like the implementation for HAVP-Squid Secure Proxy or WebScan from this page. There may be others on that list too.
2) Sandboxie. There may be other software similar to this.
3) Faronics Deep Freeze; however, users can only save data to network drives, their profile, or external drives (or other partitions you configure for saving data to). When you reboot, the computer goes back to the way it was when frozen. We don't run antivirus on systems with this on it since anything that infects it will disappear at reboot (we found deleting c:\Windows to be cathartic...rebooting recovers the OS). This will still let them infect their profile but their system will be safe.
4) Use something like Partimage or other imaging software that will let you create hard drive snapshots in order to recover their systems when they're infected.
That's everything off the top of my head that I would explore as possibilities...
There are ways to deal with these issues but you're going about it all wrong. First, you need to get your facts together. Suspicions and assumptions are useless. This is a simple and routine admin task.