Do I need virus and firewall protection?

Customer has a 5-station XP peer network, with a DSL router attached to the hub as well.  Only two of the stations ever access the internet.  They don't want to spend unecessary money, so here are the questions:

1) Do they really NEED norton antivirus on EACH computer, or can they get by with it on just those two that ever access the internet?

2) Same thing with norton firewall--do the NEED it on EACH computer?

I know it would be BEST to have it on all, but is it actually a risk by not having it on the stations that never open IE and never go on the internet in any way, and never get e-mail, etc?  They are just basic workstations that happen to have access to the internet only because all the stations and the router are on the same hub, but they never access the internet.

If it's NOT OK to just protect the two that access the internet, please help me understand WHY so I can explain to them why they need to protect them all...thanks

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
YES, modern viri go out of their way to infect neibouring PC's on their victims network. some even set up server applications just to find close computers to infect :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rich RumbleSecurity SamuraiCommented:
Typically you need AV on each, and you'd have all PC's go through 1 firewall.

[Internet --> FW --> Users] or  [Internet --> FW --> Router/switch/hub --> users]

To save money though, you should try a program like ZoneAlarm. They have a Free version that will do what I am about to detail:
ZA not only block's attempts to access your macnines, but it also blocks access to processes, until the user has told ZA that is ok to allow, or it should deny the process. So if your PC was the 1st to get hit by a virus, and that virus wanted to infect others and spread... it would start a new process, and ZA would prompt you asking if you would like "viri.exe" to access the internet, or act as a server etc... you would say no, and place a check mark in the "remember this response" box.

Now... ZA will deny the virus access, BUT it will not clean it off your system. You need AV to do that, or use the tools from the big 2 (mcAfee and Norton) to get rid of them. Each time a new virus comes out, Norton and McAfee typically put out stand-alone programs that will remove and find one or two different virus'. These tools are free.

However, the real price advantage is in TCO- total cost of ownership. PutMcafee on each machine, even ones that do not access the internet, and a single FW at the preimeter of the network, this will keep administration cost and task's lower.
But.... If this is your network: Internet -->HUB/Switch --> users
Then yes, they all need AV and they All need FW, not necessarily Norton's... As it may not have the process locking features. Again, ZA is free, and a great FW. As stated above, since they are all able to see one another, since they are on a hub, they will infect even the macines that don't access the internet. Your less likely to get infected from those... but they are able to be infected nonetheless.
sasllcAuthor Commented:
Very helpful, but I'm not clear on how to use just one instance of firewall 'on the perimeter', because in this case, they have 5 XP computers hooked together peer-to-peer through a hub, and the DSL router is hooked to the hub as well.  So, if I were to put one copy of ZA (or other firewall) on the network, WHERE would it need to go?  Which computer?
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

I agree with PETELONG and RICHRUMBLE - You definitely need a good protection on all the computers, and you don't have to spend much money on it.

Today you have to face, that one computer infected vith virus or spyware or trojans or backdoors, will indeed infect all other computes on the same hub. No doubt about it.

Remember the NIMDA virus ?
PE_NIMDA.E is a fast-spreading Internet worm and file infector that arrives via email, as an attachment called SAMPLE.EXE. It employs several infection mechanisms and exploits several known vulnerabilities. Similar to the original variant, PE_NIMDA.A, it has four modes of propagation: through email, through network shared drives, through unpatched IIS servers, and through file infection.
***end of quote

You should immidiately install both antivirus and antispywareprograms (they does'nt allways do the same), and you should also install a firewall. And you should also get all the latest hotfixes from microsoft

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open
Use this free online Trend Housecall scanner to find and clean every known virus/rootkits/backdoors:

Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:

If you get's an ActiveX error, when loading the HouseCall web page:

If you want to secure your one workstation in the future, consider to purchase PC-cillin with builtin firewall:
Getting a personal Firewall

Download the free version of Sygate personal firewall

Download the free version of ZoneAlarm firewall

Comparative reviews of personal firewall software: 

Firewall Product Selector - Choose yourself which one to compare
Rich RumbleSecurity SamuraiCommented:
No no no no stop the spam...
Rich RumbleSecurity SamuraiCommented:
too late... more to follow... gahhh

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:

SpyFerret detects & removes spyware

Bazooka Adware and Spyware Scanner v1.13.01

Automatic check of your browser for parasites, adware and spyware
Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan 

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
Rich RumbleSecurity SamuraiCommented:
every time...
>"So, if I were to put one copy of ZA (or other firewall) on the network, WHERE would it need to go?  Which computer?"

On each computer!
About Windows Update (SUS)

Download and install Microsofts automatic update server (also known as SUS)
Rich RumbleSecurity SamuraiCommented:
You'd need one computer to be your gateway. It would need 2 NIC's  so your network would look like:

Internet (the router that is)-->  nic1            nic2 -->hub --> other pc's;EN-US;234815
The FW-PC would use ICS (windows internet connection sharing)  Nic1 would be connected to the router (dsl/cable router)  and nic2 would connect to the hub, along with the other pcs
But if you don't what to rework your network, ZA on each pc would be grand. ZA is chatty at first... then you'll get fewer and fewer pop-ups asking to allow this and that... read the documentation fully.
Check out the dsl/router that is currently installed to see if it has a built in firewall... Typically the basic router will have what is called a NAT(network address translation) firewall... If you have the NAT fire wall built into the router that will suffice for blocking unwanted incomming traffic from the internet.  In addition to the NAT firewall you could turn on the firewall that comes with XP, it is under the connection properties.  Speaking from experience, put Antivirus on all computers.  (like someone said previously, it will save money in the long run.. (I like Norton, I've had too many bad experiences with McAfee).

Good Luck
Pete LongTechnical ConsultantCommented:
:o) Glad we could help you - thank you for the points

BTW: Have a look on
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.