There comes a point of diminishing returns. My goal is to protect my system, not so limit her options that the likelihood of malware damage is zero. As I said, she's not a mischievous child, bent on clicking on everything and anything just to see what happens. I think there are two primary threats resulting from her use: drive-by malware, and websites that put up a fake, "click here to close this box." Though I suspect there is malware out there that can get around a VM, I doubt that most of it can, and that which might is going to be concerned with identity theft rather than malicious destruction (I don't have computer-controlled centrifuges for enriching uranium :)).

I really don't think this is necessary. Right now, she clicks on the FireFox icon when she wants to surf. With the VM, she'll click on the "Start" icon in Fences box with her name on it.

Whoa! Under no circumstances will I work in a VM. A lot of what I do is extremely CPU-intensive (that's why I bought my Uber Laptoppenstein). I'm not going to take a performance hit in the interest of perfect security (which, we all agree I think, is an oxymoron anyway).

That's the point -- I don't want to "force" her into anything. She's not going to go through my machines, deleting software, changing user permissions, overwriting the MBR, or, for that matter, installing software of questionable provenance, etc. She is going to visit websites that sound interesting to her but, nonetheless, are malicious and will attempt to install malware, either as a drive-by or through social engineering. The VM handles that.

I think, though, that Windows Virtual PC will do the job -- why go to the trouble?

Perhaps that's true. I'm still uncomfortable with the idea.

I've been using Windows, in some form, since 3.1.1 (the lack of networking in 3.1 made it a non-starter for me). Of necessity, given all of the quirks, bugs and idiosyncrasies of the OS, I've learned enough about it to build and maintain my own machines which, themselves, have some rather arcane configurations given what I use them for. As I said, "Damn it, Jim! I'm a lawyer, not a software engineer!" :)

Well, it's a matter of principal. We have iPods because they're unique products -- no other MP3 players have 160 gig hard drives that let you take your entire music collection with you. Otherwise, there are no Apple products in this house, and there never will be, absent another similar entirely unique product.

Well, there's that money thing again (and the space thing). Also, though I've only mentioned it in passing, my primary computer has $800 near-field monitors and a subwoofer. If I was so inclined, I could mix and master studio-quality CDs with this system, and the CDs that I do mix and master are close enough to studio quality that only a true audiophile or audio engineer would be able to hear the difference. I once left a CD from one of the shows that I'm writing in our home theater system and Mrs. PTravel played it without realizing what it was. When I came home she told me that she didn't know I had recorded an album back when I was an actor. :) Mrs. PTravel is a jazz fan and likes to preview CDs that she buys on-line, and also to research performers we may want to go see live. There is absolutely no way that even a very good set of computer speakers is going to approach the quality of the near-fields, and Mrs. PTravel WILL notice the difference.

Oy. Remote Desktop, and other better variants, live VNC, are slow, slow, slow. I use VNC to control the thin clients on my network -- it's fine for them as all I do with them is check on the status of the programs they're running. I also use it to install updates on my media computer in the living room (and to shut it off in case my wife forgets to do so when she's watching NetFlix). If I had to use a remote solution for all my computing, it would drive me insane and, no doubt, would do the same for Mrs. PTravel (not to mention that she likes to looks a web-hosted videos).

All my wiring (and switches and router) is gigabit. However, video is simply too much data, particularly when there are other traffic-intensive applications running, e.g. the mirroring of the two NASes is done with a thin client-based backup program.

The only other machine she'd ever use is the media computer in the living room, and that runs over a 500 meg power-line link (which actually gives closer to 300 meg). It does work fine for Netflix and HBOgo, but I can't see her hunched over the coffee table trying to browse with it. She will NEVER touch my music computer -- that's my security system for THAT machine :) -- though it wouldn't be practical for her to do so, as it's set up with my (piano) keyboard and she'd have to sit at the piano bench to use it. There's a media computer in my bedroom (a retired laptop), the two thin clients that run the FTP server, the MagicJack phone server, the NAS mirroring and a couple of other things, my laptop, the laptop that I gave her, and another retired laptop that, if I ever get the damn thing configured, will run FreePBX. Most of the computers on my LAN are busy doing things on their own and aren't intended for users.

Chrome OS sounds interesting, only because I doubt there's much malware written for it. However, as I mentioned, I want to get my wife used to working in a more "office normal" computing environment.

I previously had VirtualBox installed on my primary machine though, at this moment, I don't why I installed it. Oh, wait, I do remember. I have a couple of HP Touchpads with cyanogenmod Android installed on them. The initial install required installing the HP SDK on my computer and that, in turn, required VirtualBox.

I can, but the differences are enough that it would confuse Mrs. PTravel. She's very resistant to learning the underlying concepts -- she just wants to do what she does and doesn't care how the computer does it.

On this, I must disagree. I work in Word every single working day, and I'm familiar with the free alternatives. Though, for the most part, they're reasonable substitutes for Word, there are enough differences that make them impractical in a law office environment. As you noted, even just moving up through the various Word versions is painful enough (what in the world is Microsoft thinking, anyway?).

I need very tight integration between Acrobat and Word, as well as with Excel and, to a lesser extent, PowerPoint. There's simply no way around Word at this point.

It's easy enough to restore the VM from the backup. She's going to get malware as long as she keeps visiting Chinese sites.

That's what I think, too. Why would a hacker (or Russian syndicate) go to the trouble?

I have one machine on which I installed Win8, just to see what it was. Though I have it configured to boot into "classic" Win7 mode, and use that app, the name of which escapes me at the moment, that restores the Start button, and it DOES run pretty quick on the wimpy netbook on which I installed it, I have absolutely no plans to upgrade any of my machines to Win8, which offers no significant advantages to me at all.

Have you seen the pictures of the Oklahoma tornado damage? :)

I maintain that your best bet is to put Ubuntu Linux (very user friendly and easy to install - easier than installing Windows) on that old Pentium machine, and put that on its own VLAN. She can use your existing monitor that she likes if you buy a cheap KVM switch.

You can install a fully functioning Ubuntu VM in Windows to check it out - go to ubuntu.com and download the installer. It shows up in Windows as just another program that you can uninstall in the Programs control panel. Ubuntu comes with Firefox (Chrome is also available) and a fully functioning LibreOffice suite that is compatible with MS Office. It also comes with games, media programs, and the like. Don't worry about DRM and such - install Ubuntu and see for yourself if it works.

If you really like the idea of a Windows VM, go for it. But I think it can be a bit of a hassle to set up.

Also, I'd suggest she start using Chrome instead of Firefox. Chrome is generally considered the most secure browser.

See, from my perspective, the earlier steps are quite a great deal more basic than the step of running her stuff in a VM. Your opinion clearly varies, and I'm not going to belabor the points about separate logins, UAC, etc.

Speaking of which, if something written for teens isn't going to be too bothersome for her, you might download this free book from Microsoft and see if she finds it useful: http://www.microsoft.com/en-us/downl...s.aspx?id=1522

I wasn't suggesting you would today; you made that quite clear already, hence the use of the subjunctive.

I don't know if it would make as big a difference as you think, though -- CPU/Memory is the one area where running in a VM has little to no impact on modern hardware since the virtualization is almost all handled automatically by hardware inside the CPU cores... especially in the case if you are the only VM running/active. I/O impacts are trickier, and if your audio includes any live recording/analog-to-digital conversion, that's particularly tricky since some of the I/O latency can get very unpredictable (I was reading recently about folks doing pro audio stuff turning off both turbo and power-saving features because of interrupt/DPC latency... at the point you're doing that, virtualization is a non-starter for sure.)

I don't know that it has the tools to do any reasonable network isolation, or how it performs playing video; if it does both well, go for it.

VirtualBox has some good tools for flexible networking, so does VMWare Workstation. I'm not sure what Player has, or if the trick of setting up your options in a trial of Workstation still works. Both VirtualBox and VMWare have pretty good accelerated video driver support when running on a Windows host.

Sounds like you jumped on the networking bandwagon early, although 3.0 and 3.1 worked fine with Netware/LANtastic/MS LAN manager -- there was no native support in the GUI, but there were plenty of networking products for DOS, and by the later 3.1 days most of them had Windows add-ons.

(As an aside, as someone who's worked on both the IT and software engineering sides of the house, while I find them terribly bothersome, there are quite a lot of software engineers who don't know their head from their ... when it comes to the OS or the hardware they're running it on.)

Money, I get. Space, I still don't get; I'm not sure if you can't velcro 4.5"x4.5"x1.55" to the side of your current desktop how it gets adequate airflow :D If that really is too big, what about one of these: http://www.tomshardware.com/reviews/...view,3492.html

If, (and please note the use of the subjunctive here) you were to decide to go with a separate box, I have no doubt that you'd be able to figure out a way to wire the audio out from the smaller box for her either through your main PC or into some kind of mixing input such that she could use your speakers. :)

May well not be worth the trouble, depending on whether you can get adequate network isolation using virtualization.

Sadly, that's the same attitude that probably has lead to all the malware; I can't suggest how to get past it from a social/marital perspective, although I certainly wouldn't want to share a network, let alone individual machines, with someone like that.

I think that makes you a power user. :D

Fair enough, and if you need it, that means when she starts helping you with work, she does. It sounds like she's got a ways to go before she's useful at that; from my perspective, learning the basics on LibreOffice (etc) and then moving to Word wouldn't be the worst idea in the world, but YMMV, and for someone unwilling to learn the basic notion of "this is who you do stuff in general in a GUI" who's looking for "this is the magic incantation I don't understand that gets the machine to do X/Y/Z" then the differences would be frustrating.

I suspect that some combination of user education and better security measures on the machine itself would at least substantially decrease the frequency, but YMMV.

In its current incarnation, I agree. There are several apps which restore the start button/menu; Start8 is generally regarded as the best, and is a cheap commercial one (from StarDock, the same folks who do fences, which you also mentioned.) ClassicShell is the best of the free ones.

While VMs don't have decent graphics the CPU performance is pretty good.

GPU passthrough means you've got the full GPU power of the machine. Well, once it's working; it's a bear to get working in Xen, and I can't imagine it's any easier with anything else (barring Hyper-V, maybe, in an all-Windows environment.)

Not that I'd recommend it to PTravel, but it's worth knowing about.

This is a fascinating thread though I suspect there is a learning curve in setting up VMs, especially with VLAN tags as some have suggested. For a use case where the applications will be very few, even say just a browser, do people have any experience with a simpler sandbox implementation such as Sandboxie?

Thanks.

VLAN tagging has quite a learning curve, yes. I just physically segregate my network into a trusted and an untrusted section.

Just setting up VMs is dead easy; the simplest untrusted VM, and a very good one is to just run a Linux LiveCD (take your pick; pretty much every distro now makes one), point VirtualBox or your choice of virtualization apps at the CD with all the defaults turned on, and you're up and running.

If people want, I can post some screenshots as a how-to.

Setting up a basic Windows VM is pretty much the same except you then have to run through the Windows setup steps, and probably load a video driver afterwards...in general, there's a menu item in the UI to "Load [VMWare/Virtualbox/etc] Tools" which mounts a CD image, and then you just go through that and reboot it.

I've used chroot jails under Linux (and run stuff I really didn't trust ... like software key generators ... under WINE rather than real Windows) before, but never anything else like that under Windows. I was unaware of Sandboxie until you mentioned it.

Funny - I think the Windows VM's are the ones that just work. Install OS, install VM tools, and it works!

I always ended up deleting my Linux VM's because I could never get them to work to my satisfaction. Namely, the desktop resizing feature. As I resize my VM window, the windows guests all resize their desktop to 100% of the allicated space in the host window when guest resizing is turned on. Do you know how to make this work with VMware on Linux? Every time I sized the window to some size other than what it was when the VM booted up, I would end up having to use scroll bars all over the place and it was just darn annoying (because I frequently switch back and forth between a "windowed" mode and a "full screen" mode). Click menu, use scroll bar, find window, use application, use scroll bar, find menu again, use scroll bar, find bottom of screen, use something down there, use scroll bar, resize windows to fit within the host window.... Like many things in Linux, I'm sure it's possible if anyone could just find a setting in there. But I am not a Linux guy and don't pretend to be, though, so perhaps you could point me in the right direction for where to find that.

Linux is not really one OS in that sense, because of the choice of desktop environments... and the proliferation of different versions of the standard stuff across distributions.

With a modern version of X.org and a modern (Gnome 3, KDE 4, etc) desktop + the VMWare video drivers (should be integrated into most non-Debian-based* and desktop-oriented distros), it should "just work."

(* the Debian "open source at all costs" philosophy, which is sadly baked into Ubuntu, means I think they may not be in either Debian or Ubuntu, unless VMWare has open-sourced their video drives... which they may have.)

I haven't used VMWare in a couple of years, so beyond that vagueness, I can't be as much help as I'd like. I can confirm that with VirtualBox and the three liveCDs I happen to have ISOs of sitting on my hard drive:
- OpenSUSE 12.2 ( openSUSE-12.2-KDE-LiveCD-i686.iso ) just works with VM screen resizing out of the box
- archlinux-2013.02.01-dual.iso doesn't have a GUI on the LiveCD (I'm guessing that was intended to do an install. I'm not sure when I was messing with it!)
- systemrescuecd-x86-3.4.2.iso does not work with VM screen resizing out of the box -- I get scroll bars if I resize manually (although VirtualBox resizes the window properly when I change the resolution from within the VM)... not sure if this is a driver issue, or an Xfce issue, since it uses that very basic desktop environment.

With a more conservative, less desktop-friendly distribution like Arch or Gentoo or a more conservative one like RHEL/CentOS or an open-source only one like Ubunto/Debian, assuming a modern version of X and a modern desktop(*) it should just be a matter of running the VMWare tools installer off the CD image (or in the case of Ubuntu, there's probably an installable copy in the non-open-source repository, which it may offer you automatically after the first boot -- ISTR that's what it did for the closed-source Nvidia drivers for me when I was messing with it.)

(* again, Gnome 3 or KDE 4... I generally recommend KDE to Windows people, as it feels a lot like Windows to me whereas Gnome 3 is weirder; maybe more OS X like but not like the old Macs I knew or Gnome 2 which was very Mac-like)

i think Oracle VM VirtualBox or VMWare is SAFER than Windows Virtual PC.

Quite possibly; they're certainly maintained a lot more actively. Microsoft has pretty much abandoned Virtual PC for Hyper-V.

I wouldn't recommend Virtual PC any longer. The performance of either VMWare or VirtualBox will be much better. Alternatively you could upgrade to Windows 8 (har har, I know) and use the built-in Hyper-V client version, but for obvious reasons that might not be a route you want to go.

I don't think performance matters much for the use case he's talking about, basically a sandboxed web surfing environment for his wife.