Just to beat a dead horse a bit more... Windows 7 will be with SP1, no further updates. Windows XP will be with SP3 and IE 8, no further updates. DEP will be turned on globally for both OSes. Just to have a vague semblance of fairness, I'll leave UAC alone on 7. (Normally I'd turn it up to max.) Exploits will be via IE 8. Note that we already have some problems here - exploits against IE *need* a means of ASLR bypass on Win7, otherwise they'll be lucky to get as far as crashing the browser. The security programs tested will be Panda Cloud AV and Privatefirewall. These proved to be some of the weaker offerings on XP. I've yet to see how they do on 7. We'll start with XP, while the 7 VM installs. Oh yes - and I'll be taking screenshots.