Well, My Son needed a laptop for his study. It is a more or less a forced buy from his university, with a few options. So we decided to use the cheapest one. Setup will be Vista 32 bits 4 GB RAM (old DDR2), we will be using the non addressable RAM as RAM Drive for teh swap file FireWall No question, we will use the fastest two way firewall, low overhead FW available for Vista. Thanks to Stems post https://www.wilderssecurity.com/showthread.php?t=239750 (and a little help from Vista FW control free, to get the correct paths and executable names to manually allow) Intrusion Protection UAC/Norton UAC No Question again. We will use the fastest/lightest Intrusion detection available on Vista: UAC. To remember choices we have selected the freebie Norton UAC Tool, BYE BYE ROOTKITS Windows Defender Joined the advanced group, Deselected scheduled scans and the on-access scan. WD will still check doownloaded programs, but uses very very few CPU cycles now. Also the other Agents will still warn you when an intrusion occurs, BYE BYE SPYWARE. Virtualisation/sandboxing Chromium/Iron's Internal policy Sandbox We downloaded the fastes lightweight browser, the completely desinfected version of Chrome: Iron of SRWARE. We used the mobile version, becasue it is easier to contain/further limit. Iron (chromium) has an internal sandbox. The VISTA virtualisation trick with UAC! Just to be sure we right clicked on task manager, clicked VIEW, selected Columns, choose Virtualisation (see pic). All Internet facing programs were forced to run virtualised (simular to run in protected mode like IE8 ). Also Foxit (PDF) Flash, etc set to this mode. Software Restriction Policies PrettyGood Security YES it is there, the great Pretty Good Security, just PM Sully when you want to beta test. Version 1028 running great. SRP Policy a) All Internet facings programs run in LUA, except IRON b) The user space (in our case D:\Data or the moved My Documents) has a DENY execution EdgeGuard Solo Runs OFFICE and IRON as limited. Advantage: With Edge Guard Solo IRON runs when SRP is on all executables (otherwise you have to exclude DLL's), downside EdgeGuard does not protect against Direct Disk access, but this is compensated with virtualisation. AntiVirus/Blocker Avast Standard Shield We used Avast free, only standard module [noparse](we have moved the e-mails of OutLook Express to D:\Data\Mail and contained them with Pretty Good Security 102[/noparse], so only the standard shield is enough). We only check on execute the old DOS and 16 bits Windows Programs, 32/64 bits and dll's are not checked. We have deselected READ scanning, so only checking on Write of new or changed Executables. Normally Writing is to late, but AVast has its VRDB data base to fall back to a previous executable (un infected) Avast Blocker. We also use the old fahioned BLOCKER (see advanced options standard shield) to throw a warning when an executable is RENAMED. The funny thing this RENAME also prompts into action when an executable is MOVED!. This closes the gap from any malware being able to move its exectuable from the user space (where it can not execute), to the Admin/system space (where no SRP is in place). PERFECT! Bottom line An amazing light setup, safe and super fast (checked with benchmark programs).