How to secure a vista machine for public USB drive use

Hi Experts,

I'm setting up a laptop running win vista ultimate for a friend who will use it in a small print shop.  It'll be connected to a big Minolta office printer copier.  The shop owner will be inserting customer USB sticks and printing docs etc.

How can I minimize the likelyhood of viruses and malware getting loaded when the USB sticks are used?

UAC is enabled and I setup a none  admin user  account for him to use when printing.  It's currently running AVG 2012 and all win updates are done.  

Any tips on how to really lock this account and machine down to reduce risks when the shop owner is doing this printing from USBs?


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
This is fine as a starting point. Two things:

1. I have had very bad luck with AVG and would not use or recommend it. People will have all kinds of opinions but something stronger is warranted.

2. Use the Vendor Software or Acronis (or such like) to make a recovery DVD of the system. If this is really all it does, a good backup will save tons of time when the inevitable happens.

.... Thinkpads_User

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The two things I'd be most concerned about are:

1) Autorun.  Make sure this is disabled for flash drives (you can google this).
2) Clerks clicking things that look like docs, but are really programs.

For #2, I might be thinking about using Software Restriction Policies in the Local Security Policy.  With this, you can prevent any programs being run from the flash drive (or alternately, enable the running of programs, but only from c:).

I guess that brings up point #3: What if they copy the malware from the flash drive to c: for processing?  You could have a "working" directory where all in progress docs are stored, then use SR to restrict programs from running there as well.

Note that using SR only disables PROGRAMS from being executed from these locations.  It does not prevent docs from being read from or saved to other locations.

Certainly reduces the potential for mischief.
use deepfreeze :
every reboot, it will undo ALL changes made
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

alternatively, you also have mS Steady State :
I believe MS has discontinued Steady State.  But now that you have reminded me, what about Virtual PC?  It has an Undo mode.
You will be fine, but may I suggest switching to Microsoft Security essentials. Also disable AutoRun.
HelpNearMeAuthor Commented:
Thanks everyone for the suggestions!

JohnBusiness Consultant (Owner)Commented:
Thank you. I was happy to help. .... Thinkpads_User
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.