Hi, Long story, short recap: a Vista age laptop (Dell laptop with early 1,7 GHz AMD dual core processor PassMark 1.030) given to an elderly with loads of old office software on it needs a tweak (it runs very slow). I was thinking of doing a clean install with the following components Operating system XP because I have one laying around and it is in Dutch (which is very important) and I do not want to loose a lot of time finding old drivers etc. Limited admin rights Create a new Power User (enable build in Admin keep it as my emergency entry with new password, delete user which installed OS). Power Users are able to install programs, but can't change Windows settings (have access to program files directory). Uninstall Windows Media Player, IE and Outlook Express. Use only portable 'threatgate' programs which install in Users directory, e.g. Chrome (default webinstaller), Portable versions of Mozilla Thunderbird, Classical Media Player, AbiWord, 7-ZIP en Foxit-PDF reader. Install Sully's Pretty Good Security (adds Software Restriction Policy to XP Home) and run Chrome and Portable programs as Basic User. Since they are all located outside Windows and Program Files folder, they don't need Admin access and automatically run with reduced rights. Deny execute on Data Partition Create a data partition, move User Shell Folders to data partition (e.g. My documents), Install http://www.fajo.de/main/en/software/fajo-xp-fse. Set a deny execute for Everyone on D:\ with security tab (Deny execute file/traverse folder). Hide the security tab again. Simple security Install Avast file shield only with sandbox on "auto". Install Browser Edition of ExploitShield, add Adblock plus. Keep Chrome updated (giving Chrome updater unrestricted rights). Use the build in inbound firewall. Risk assessment So they still can install old games like patience, chess etc (most of them of are very old and can't handle DEP). By using portable programs and running them as basic user, with the deny execute of the data partition, the attack surface is reduced. Using a Dutch language AV (with auto sandbox) and website protection (Norton DNS, Google Safe-search, Add block), I hope to keep them away from risky places. Any ideas, like which hardening tool to use? Requirements: no questions to the users, either block or auto decde.