windows 7 security setting that cannot be dispensed

Hello Experts
I have a question about the settings that must be to do by expert after the installation of Windows I mean here the recommended settings for security such as firewall settings shouldn't be missed, antivirus settings, network settings, registry, and programs that can not be dispensed with "for Security"
Generally as an expert how to secure a pc in your network to be ready for employees to use.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TemodyPickalbatros, IT ManagerCommented:
If this in the AD (Domain) environment so main security settings will be applied from AD group Police
so if you need the GPO setting please inform
But on the Computer level there are steps that must be followed even before joining this computer to the domain
1. Windows must be up to date
2. any antivirus program suffice as long as up to date
3. Antispyware programs are also necessary up to date
4- Make sure that all local users deleted except your local admin with complex password
MASWORLDAuthor Commented:
Thank you for reply
i am already do every steps mentioned on you comment thanks
but i am talking about more advanced settings not the regular
the setting for experts
David Johnson, CD, MVPOwnerCommented:
install EMET and all users must be a standard user.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

MASWORLDAuthor Commented:
@David Johnson thank you for answer

can i use it for standalone windows 7 or must be AD environment
David Johnson, CD, MVPOwnerCommented:
doesn't matter domain or standalone
MASWORLDAuthor Commented:
@David Johnson very nice programs really
But is there are any other tricks on the windows like registry or system settings
Must have's  for high security:
-Fully encrypted OS, encryption in use must know a user hierarchy, so that only admins can mount the drive offline.
-only trusted software should be used, if possible, use applocker to enforce this
-let users use and admins administer, no exceptions.
-use remoteapp browsers only, else no internet access
MASWORLDAuthor Commented:
yes i need a high security system
that's what i am talking about but i am not looking usually security steps like antivirus

@McKnife you are right i am already applied all this but also i found an attacked  computer in the network

i am looking for some specially app like suggested  Mr David Johnson
You applied all four measures? What encryption do you use, what remoteapp system? Applocker or srp?
MASWORLDAuthor Commented:
Microsoft CRM work as remoteapp i am using citrix xenapp 6.5
other app only office group and antivirus no multimedia and sound disabled ;)
all user Drivers work with BitLocker encryption all C drive Hidden
TMG firewall only pop3, imap, and ica allowed for users no internet at all
Very tough GPO applied for all user even background and right click prohibited
And you say you used applocker as well? Then I wonder how that PC got infected. Did you analyze it?
MASWORLDAuthor Commented:
Did you analyze it
i found in the anti virus log that an infected file the path back to email "outlook"
but the anti virus already quarantined this file
after a couple day i found unusual hdd traffic for this computer and the employee complain that his computer is very slow
and i found that anti virus still found virus on the pc with high memory and processes usage
so i format that pc and recover the windows image it work fine
so i decided to search for any way to improve my network security
MASWORLDAuthor Commented:
other thing i forgot to say
after i check the mail with virus i found that mail look like one of our customer mail
so if the customer mail like this it sent from name@xycompony.come with O not with A
So you did rely on anti virus software instead using the proactive applocker. It wouldn't have happened otherwise.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MASWORLDAuthor Commented:
What proactive applocker you Suggest
Applocker is built into windows in enterprise edition.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.