How safe is Windows Virtual PC?
 

I've previously recounted my struggles against malware that got on my machine, I think, because of Mrs. PTravel's surfing. As some of you advised, I'm in the process of setting up a virtual machine on my Windows 7 to computer to run a copy of Windows 7 that will be Mrs. PTravel's computer.

I just want to make absolutely sure that, whatever she does in her sandbox, it will not do any damage to the real PC's data.

It is 100% separated, unless you open things up like access to local folders.

In a normal setup, nothing that happens in the VM will make its way across.

it is separate but always back up your data externally (the least to an external drive, preferably something in the cloud) and in this case make sure she is not an administrator and use a browser with add ons (firefox) that will help keep things from downloading in the first place. a good anti-virus as well.

i might reocommend a dual boot instead or just a cheap laptop that you can reimage at the drop of a hat. i recommend macrium reflect, free program, to do so.

My data is either stored on or backed up to a RAID5 NAS which, in turn, does a mirrored backup in real time to another RAID5 NAS, with critical backup sent nightly to a backup server I maintain just for myself at my office. My wife uses FireFox and, of course, I had anti-malware installed on the computer she was using AND it sits behind my router's firewall. My data was damaged. However, even with all the anti-malware precautions, she still managed to infect my primary desktop, my laptop and one other machine that sits on the LAN (and probably a couple of the thin clients, but I just rebooted them which is a quick fix to the problem). The problem was the anti-virus software (Microsoft Security Essentials) let this particular thing through. Malwarebytes couldn't detect it, nor could RogueKiller. Webroot did and, supposedly, removed it from the system. However, I wasn't comfortable with that, plus there were other oddities happening, which may have just been damage done by the malware, so I repartitioned the SSD and re-installed the OS.

In other words, all of the usual precautions failed -- I suspect she went to some website and got a particularly nasty drive-by infection.

I don't want dual boot on my primary computer for a number of reasons, not the least of which is I don't want to give up the space on the SSD, and I don't want her to have direct access either to the internal hardware or computers and drives that sit on the LAN. She likes my computer becuase it has a nice, big 32" 1920 x 1200 monitor and won't accept a laptop, of which I have several spares. A virtual PC is the best solution, has the smallest footprint, and appears to provide the best security. All I have to do, in case she messes it up, is rename the backup copy of the virtual machine and copy it to the Virtual PC directory.

i see, well i would use some type of backup that has versioning and/or multiple copies, real time is great in theory, but if the data gets damaged so does your backup. and raid is not bulletproof.

your 32" monitor won't accept a laptop signal? you can't throw a KVM on there and run a separate machine?

virtual machine, in my opinion, won't solve your problems completely but good luck.

My budget doesn't allow for it. My RAID is not bulletproof, but two NASs plus an off-site is as close as I'm going to come.

The monitor will. My desktop won't -- there isn't room for her to set up a laptop. :)

Nothing will solve my problems completely, but I can't think of any downside to a virtual machine. What problems do you think might result?

With a VM application like Virtual PC (or VM Workstation or VirtualBox) how do you keep her from getting into the main PC when she has to log into it to get to her VM?

Also, I'd guess she doesn't play any games (etc), as the 3D performance tends to be abysmal on VMs, but as long as she doesn't need it, it's an irrelevance. (* there are some exceptions, where you can pass the GPU entirely to the VM, but they are currently a bear to get set up.)

The alternatives would be a hypervisor where there's no outer OS to log into (or a very thin one she can't get into trouble with) like ESX/Xen/Hyper-V. The free edition of Hyper-V is likely your best choice there (eta: and by "best" I mean easiest to get set up if you're familiar with Windows.)

--

As an alternative, what about a second cheapie USFF desktop with a KVM switch? Something like an Intel NUC or Mac Mini is even smaller than a laptop, and would share the same screen.

Also, given her propensity towards picking up malware, any chance of getting her onto Linux or the MacOS? Neither's inherently that much more secure than Windows, but both are the targets of less malware at this point.

Lastly, if still on Windows, any chance of keeping her on a non-administrative account?

She's not a mischievous child -- she just doesn't know a lot about computers. :) I've set it up this way: I use Fences, which lets me organize icons into groups inside translucent boxes with labels at the top. One of the boxes has my wife's name and there's just one icon in it, labeled "start." When she clicks on that, the virtual machine starts and opens into full screen with a different background than main desktop. As long as she sees the Grand Canyon instead of the Ocean Sunset, she knows she's good to go.

Neither of us play games. She watches videos on websites, but my system is fast enough to do that.

I'm not familiar either with the term, "hypervisor" or the software that you've mentioned, so I had to look it up. The machine that runs the virtual PC is the one I use for video editing, audio mixing and photo editing. I need all the power of my machine available to me to do this. I can't imagine what benefit I'd get from a hypervisor that would force me to work in a virtual PC.

First off, I don't allow Macs in my house. I don't like their OS philosophy of "we know better how you need to work than you do," I don't like a proprietary (or quasi-proprietary) hardware and software system, and I don't like paying triple the cost for software and hardware. Next, there is no room in our small apartment for a work space with another PC, regardless of what it is. I have a perfectly serviceable dual-core HP laptop that was replaced by my new quad-core Uber Laptoppen. I've got a USB-based docking station for it that works perfectly well with an extra 1920 x 1080 monitor I've got sitting around. I have extra keyboards and mice galore. In other words, I could set my wife up with a perfectly competent work station for what she needs to do. The only problem is there is no place to put it. There isn't even a space for another mid-tower and a KVM switch (and I have those, too).

Linux? It will never happen. I have a couple of Linux boxes -- one is a laptop that I'll use to setup FreePBX* (an Asterix variant) on, and the other I used to use as a server and to hack DirecTV boxes (for pulling off recordings, not for stealing DirecTV). To paraphrase Bones McCoy from Star Trek, "Damnit, Jim, I'm a lawyer, not an IT guy!" :) I can barely manage in Linux. Mrs. PTravel will just blink at me, walk away and then sit down at my Windows 7 machine. As for MacOS -- no way, on principle.

With Virtual PC, she can pick up all the malware she wants. If her PC-in-a-PC gets too messed up, I'll just copy over the backup of virtual PC and she's good to go again . . . 'til the next time.

It doesn't matter whether she's on an adminstrative account or not. If she picks up the wrong malware, it can still lunch my system. I've spent a grand total of about 2 weeks re-installing and re-configuring my system, just to get back to a functional machine that lets me do about half of what I had been doing. I still have about 100 VSTs to install, about half-a-dozen major music packages that I use occasionally, and a bunch of other stuff. As I said, I see no down side to a virtual PC, whereas other approaches either involve more risk than I'm willing to accept, more space than I have to spare, or more money than I have to spend without offering much of a significant advantage.

* If anyone has any experience using FreePBX as a front-end for a Cisco SPA 8800, I could sure use some advice. I've got the SPA 8800 working with a POTS phone and a VOIP provider that has really, really cheap rates to China (1.2 cents/minute), but I'd ultimately like to run 3 VOIP lines and 3 POTS line through the Cisco, with FreePBX providing dedicated mailboxes, intelligent forwarding, and voice message attachments to email with both VOIP and POTS phones. I know it can do this but, as I said, "Damnit, Jim, I'm a lawyer, not a digital communications engineer."

Here is my only concern, PTravel: You said last time that once one PC was infected inside your firewall, the problem spread. That could be because credentials were already established with those other PC's, or it could be because there were vulnerabilities in the operating systems of those other computers that could be easily targeted by an infected computer inside your firewall. If the latter, an infected VM is just as good as any other infected computer at probing vulnerabilities.

Personally, I think that as long as you never - ever establish connections between the VM and any other computer on your network, so no credentials could be saved, you'll be fine. I would even go into the network control panel and disable the microsoft networking client on the VM just to make sure. If you have firewall software on the other "actual" pc's that lets you specifically tag the VM as "untrusted" that wouldn't hurt either, but at minimum you'll want to make sure those other PC's have their own software firewall since you will have an "unsafe" computer behind your router. Thousandth's of a percent chance kind of stuff at this point though. I think you'll be fine. Personally I'm not a fan of Microsoft Virtual PC. I much prefer VMware workstation (or even VMware Player) or VirtualBox. Once they changed VPC to the windows 7 version that it ran it's connections via RDP, it seemed far slower to me.

Edited to add: You can run ChromiumOS inside of VirtualBox or VMware. Then you wouldn't even have to have a "vulnerable" windows box. This seems pretty bulletproof and maybe not so intimidating as plain 'ol Linux.

The idea of running ChromeOS is interesting. One of the things I was thinking about this morning was that it's a relatively simple matter for me to get to network assets from the virtual PC, so it would be a simple matter for malware to do it, too. I can't turn off networking because then the machine would lose internet connectivity and couldn't reach any of the network printers. I'm thinking about poking around my dd-wrt router and seeing if there's a way to limit what the virtual machine can reach based on its IP address.

If your DD-WRT flavor supports VLANs, you could potentially put the VM on a different VLAN from the rest of the network - but your hypervisor would need to support 802.11q VLAN tagging. Not sure they do.

How about a firewall in the virtual machine? I could block all ports except 80 for everything but the printers.

That could work too...but if you let any traffic out of the VM on any port, it's conceivable that malware could use that.

It all depends on how paranoid you want to be. Given your wife's penchant for dodgy websites, I'd go with a more paranoid solution: a totally separate PC. Get her a nice big monitor, put Chrome OS or Linux on the PC, and put it on a separate VLAN.

I don't see how a separate PC would be any safer than a VM. Both still need internet access and printer access, which would give both the ability to compromise other machines on my LAN.

Not if you know what you are doing. In a normal setup, well configured, a PC on a LAN can't just go ahead and compromise another PC on the same LAN. In fact, that should NEVER be possible.

Make sure the VM has no write access to anything outside it's own space.

I have a test VM for examining things set up this way--it's got *READ* access to most of my data storage but no write access anywhere other than it's own volume and when testing things in it I normally have it's internet access turned off besides. If something goes wrong I just restore the backup.

That's a good idea. That should solve most of my concerns.

You can turn off the windows network client if you can use a network printer or print server and not have to use windows printer sharing.

I didn't know that. Yes, all my printers are network printers. Does turning off the network client effect internet access?

Or as I suggested, a separate USFF (Ultra-small-form-factor) PC with a KVM switch. The Intel NUC is a whopping 31 cubic inches (Chassis Dimension: 4.59" x 4.41" x 1.55") and will VESA mount to the back of the monitor, velcro onto the wall, or sit happily on the back corner of most towers. The basic (Celeron) model is very cheap, although it's bare-bones: you need to add a minimal amount of RAM, a small SSD, and a power cord. The whole thing is under $300 with the Celeron, a little over $400 with the i3.

I can understand not wanting to spend the money, but the space is smaller than a hardback novel, and there are some nice inexpensive HDMI KVM switches where the mechanism takes up a couple of cubic inches (and no surface space) inline with the cabling.

I know that unbinding the client and server services from the network interface doesn't effect internet access -- in the days before built-in firewalls, I did so routinely. I don't think disabling the service entirely will be a problem, either.

Xen and ESX definitely do; we use both very heavily at work.

For KVM, VirtualBox, VMWare Workstation/Player, and other similar ones, you can set up a virtual NIC with tagging that is then attached to the guest system in bridged mode (this is what Xen does under the skin, actually.) In some of the cases you can also use a NAT-mode virtual NIC with a software firewall on the host machine, no VLANs needed, although that would not protect you on the limited allowed outgoing ports.

Assuming everything will stay 100% secure on the other systems is a dangerous bet -- especially with Windows, and the fact that he's doing some file sharing.

Segregating trusted and untrusted traffic, either via VLAN, or better yet, physically segregating the untrusted LAN, is a good idea.

No separate user logins??? The "switch user" feature in current versions of Windows is a good thing; my wife is reasonably technical, and she still gets separate logins.

...and I'm guessing requiring a reboot between her use and your use would take too much time? Otherwise, her use could be in a VM on a standalone hypervisor, and your use could be on bare metal. It's not hard to set up dual-boot.

I wasn't suggesting you use it...

I don't care for it either, but something a bit more locked-down might be a good thing for someone like your wife who is managing to malware-up Windows. (Ditto a version of Linux focused on end-user usability.)

If you don't feel like paying Apple for the privilege, it's not exactly hard to avoid it and run their OS on commodity hardware. :D

It's not that much more expensive anymore; the Mac Mini is about half again more expensive than the i3 NUC, but that's hardly apples-to-apples comparison.

Hence my suggestion of a KVM. If your space is truly so small you can't find space for a USFF machine on the scale of the NUC or Mac Mini, well, that's a tiny space indeed, but I can't imagine it.

A mid-tower is a whole lot bigger than a USFF machine, and if the KVM adds an appreciable amount of space, you've got a bulky professional one not a nice simple two-machine model that should be no bigger than a deck of cards with two cables sticking out of it.

Does she use any Windows applications other than a browser? Ubuntu (or ChromeOS, which is basically just a very cut down version of Linux) is pretty dead easy at the sit-down-and-pull-up-a-browser level.

It sounds like you're trying to do stuff that's a good deal more complicated than set-it-and-forget-it machines that someone does browsing on, and maybe some light office tasks (assuming LibreOffice and/or Calligra is an adequate replacement for Office.) In that sense, GUIs are fungible. But this one isn't for the power-user, it's for the dangerous non-technical one.

(Linux, and potentially in some cases, the MacOS, may be a non-starter if the videos she's watching online are DRMed.)

That's a good reason to use a VM, regardless of what OS it runs on (and per

Sure, if she picks up the wrong malware. But the an awfully large group of malware out there is still the "trojan horse" kind that depends on the user letting something run that they oughtn't, and a fair chunk of that WILL be caught by running in a non-privileged account. Probably no longer a majority of it (or of all malware) -- although prior to Win 7 catching on, it was.

Yes, but . . . I've got to draw the line somewhere between security and convenience. My primary computer is a true general purpose machine -- I might be surfing while rendering audio while watching my Slingbox. When security gets to the point that I can't really work the way I like, well, that's my line. That's why I have 2 NASes for backup, along with the off-site backup server. In 30 years of personal computing, the recent incident was the first and only time I've encountered malware that got past my defenses and actually caused some problems. It's a risk/benefit analysis, and I'm willing to incur some risk as long as my critical data remains safe.

Separate log-ins won't give me protection against rootkits and malware that can infect other machines over the LAN. The problem isn't my wife mucking around in the machine where she shouldn't, but clicking on the wrong thing on a website or, for that matter, just visiting the wrong website. She uses FireFox exclusively, and I'm pretty happy with my new installation of WebRoot, which seems pretty effective.

Yep. She'll jump on if I go out of the room for a cigarette or some more coffee.

I'm not at all familiar with hypervisors -- I had to look up the term. They seem to be environments that run virtual machines. Is that right? If so, I guess I don't see the difference between running a VM under hypervisor and running one under Win7 (other than the latter is free and the former isn't. :)).

Understood.

BTW, thank you, everyone, for taking the time to make suggestions. I'm just a dilettante when it comes to computer systems and I really appreciate the advice from the pros.

The problem with Linux is actually my problem with Linux. I'm conversant enough with the Windows OS to have a fair idea of what's going on under the hood, and how to make it do what I want. Linux is another story altogether. As I've mentioned, I've worked in it before, but I'm not comfortable doing so because I really don't have the knowledge or experience to use it confidently.

Sure, but there's that money thing again. :) I also really don't like the OS. My writing partner uses Macs and, whenever I work with her at her house, I always kid her about how a "real computer" wouldn't have any problems doing what she wants to do. Seriously, though, though I enjoy playing with machines, I expect them to do real work and a fair amount of what I do either involves specialized hardware/software combinations (for music work), specialized software (for video editing), etc. I read the audio and video forums and there are just too many problems with MacOS versions of these tools that simply don't exist in the PC versions. I think the main reason Macs persist in the creative fields is because Mac had a significant head start in these areas. Now, there's nothing a Mac can do that a PC can't, and for less money, with more choice of software and hardware tools, and far fewer problems.

Frankly, for what my wife does, an i3 would be overkill. I've got an old P4 box that, aside from taking forever to boot up, would work just fine.

It's not so much that it's a tiny space, as a fully loaded one. Our second bedroom houses my desk on which sits my primary computer,along with a USB DAC, a KRG room equalizer, two 8" near-field monitors and a film scanner, three monitors (one of them a 37"), two filing cabinets, two keyboards, my music computer which has two 24" monitors, a pseudo-rack that houses the two NASes, a thin client that I use as a VNC and FTP server, another thin client that is a phone server for a MagicJack. There's also a wide-carriage photo printer, a color laser printer, another inkjet printer for printing CDs, a scanner, a UPS, a bunch of bins for cables, a rolling file cabinet that I use as a work bench, two mike stands, including one with a large ambient noise filter, 4 book cases, the Cisco SPA8800, a 24-port unmanaged router, about a billion miles of cable collecting everything, and a bunch of boxes for storing overflow. :) There's barely room for me in there.

I've got two KVMs that are of the deck of card-cable sticking out variety. They have remote switches which would have to go on my desk, they would have to sit under it, and I'd still have to find room for the computer. I've got extra thin clients which are pretty and might be good enough for my wife to use, but I have no open space near enough to the desk to make that work.

Nope. She can barely use a browser. :)

Sure, but I either need a dedicated machine for them, or VM software that will support them under Win7. Right now, money is really, really, really tight.

I want my wife to start learning how to use computers, rather than just playing with browsers. Towards that end, I want her to use software that she'd encounter in a work environment (and, specifically, my work environment -- I want her to start helping me out at the office). I work in a law office, which is an all-Microsoft Office Suite shop.

I'm sure they are. I didn't know DRM was a specific problem for Linux and MacOS.

Sure, but the trojan horse stuff will also be stopped cold by a VM (or, at least, have to be a lot more sophisticated to get to the underlying machine). That's why I'm concerned about safeguarding the NASes and other connected computers on my network.

Nope!

In the connection properties, leave TCP/IP (v4) checked but UNCHECK the client for microsoft networking. This will disable windows file sharing client (and should automatically uncheck the server box when you do that). I do this on a VM I use as a web server, among my other precautions. You could still use a TCP/IP based printer / print server as well as any other web browsing software.

Excellent! I'll do this as soon as I get home. The NASes would still be accessible, but I can block access by specific IP addresses in the NAS software, so that will handle the VM trying to get to them.

Thanks!

I'm still unclear on what disabling Windows file sharing will accomplish. You won't be able to access your NAS (which sounds like the point - but it would be just as easy to block access from the VM IP in your NAS).

I want to block access, not only to the NAS, but to the other computers on the LAN which, in last month's malware attack, became infected.

Get a router that can do VLANs

I'm pretty sure that my router can. I'll have to look.

If it's wifi router, check this link if your model is listed. It will give you some extra info ;)

http://wiki.openwrt.org/toh/start

It won't give full protection, but I think you underestimate the utility of layered protection; a lot of things will be blocked by a combination of very low-tech measures (DNS proxy or hosts file, ad-blocking, click-to-play on plugins, user account control.) Some won't, but why not get the easy stuff the easy way?

Yeah, definitely not getting a reboot in there. Locking the machine and requiring her to log in as herself is probably practical, though.

In essence; the main advantage would be for her that there isn't an initial required step of going through the OS to get to her stuff. I wonder whether, with a separate user account, you could have her login go straight into the VM with one of Virtual PC or VirtualBox or VMWare Player.

More general advantages of hypervisors are that the performance is often better, and the flexibility with which you can assign the underlying hardware to the VMs are often greater. These would be bigger advantages in your case if (for example) you were running your own instance in parallel with hers.

The main thing with my original suggestion is that there's no outer OS environment for her to get caught in, or to muck up. If she's amenable enough to using the VM environment without being forced into it, that may not matter.

Off the top of my, head every VM environment I'm aware of that will run on a PC is available in a free-as-in-beer edition, with commercial/supported up-sells you're unlikely to care about.

If you care about FOSS, VirtualBox is available in an Open Source edition. It's somewhat more flexible than VirtualPC or the (free) version of VMWare Player. It's somewhat less flexible than VMWare workstation.

One trick which used to work nicely was to get a free 30-day trial of VMWare workstation to enable features in your saved vm that aren't enabled in VMWare Player, then just use VMWare player once the setup is the way you want it.

Oh, https://www.virtualbox.org/

Once again, there's the whole his/hers environment thing you've got going: just because she might be using it to browse (and do other stuff) more securely doesn't mean you need to know more about it than is necessary to set it up for her.

It's also really dead easy to understand what's under the hood, compared to Windows. :)

Well, that rules out the Mac Mini (which until more recently when there were some decent USFF PCs from other people, was the one Mac model I was attracted to for running non-Apple OSes on.)

Once you're running the MacOS unlicensed on a PC, you're running it unlicensed on a PC -- doesn't make much sense to have paid for it. I have on very good account that it runs well in VirtualBox. :D

Sounds like she's pretty patient of a slow browsing experience, and a P4 would be pretty bad on the electrical bill, but (ignoring the cost issue) sound like the Celeron NUC wouldn't be a bad way to go.

Here's an idea: what about setting up a VM on a different machine, wired outside the main firewall, and having her use remote desktop from your machine to get to it? If your wiring is all gigabit, she should be able to still watch videos on it... then the only traffic you have to worry about is the single RDP port outbound from the machine she's accessing it from.

As an added plus, she'd be able to get to her browsing/etc environment not just from your one desktop, but from any of your other machines.

Sounds like Linux (either Ubuntu or Chrome OS) might be a great choice

Any of the VM software will run Linux, including VirtualPC although it's not ideal for it. I mostly use VirtualBox, which is free (depending on which features you use, either as in beer, or open-source) and dead easy.

GUIs are fungible. If someone doesn't get the basic concept enough to understand that the basic metaphors are there, and that they can go from Linux to Windows XP to Windows 7 to Mac interchangeably, they need to work on the basics, but once they have the basics any WIMP UI should be usable.

Ditto, for that matter, the basics of office suites; pretty much all GUI word processors and spreadsheets work pretty much the same. An Office power user is more likely to notice the differences between LibreOffice than MS Office (or Office up to 2003 and Office 2007 and later, given the awful ribbon) than a duffer.

Once you're stuck needing office, you're pretty much stuck on Windows or Mac. You might see to what degree you can interchangeably use LibreOffice, but while it's fine for individual use IME the document interchange capabilities are not there.

I've yet to get Netflix working on Linux, for the main example.

Will be stopped cold in the sense of "gone again when you blow away the VM," but if you can avoid her getting them in the first place, that's still work you're saving yourself.

In theory, it is possible to have privilege escalation attacks out of a VM onto the underlying host system. In practice, I'm not aware of any working yet in the wild, and if there were, it would probably be aimed at large cloud infrastructure things ("I break into someones AWS instance, try to get into Amazon's infrastructure from there") and not individuals futzing with VirtualPC/VirtualBox/VMWare workstation on their own systems.

That may change if later Win8.x moves to more Hyper-V-based sandboxing (like some of the BYOD proposals where work apps are a segregated VM) but even there, it's far from clear whether any attack would be general as opposed to specific to Hyper-V.

--

BTW, I'd be terribly curious for a picture of the work room.

There comes a point of diminishing returns. My goal is to protect my system, not so limit her options that the likelihood of malware damage is zero. As I said, she's not a mischievous child, bent on clicking on everything and anything just to see what happens. I think there are two primary threats resulting from her use: drive-by malware, and websites that put up a fake, "click here to close this box." Though I suspect there is malware out there that can get around a VM, I doubt that most of it can, and that which might is going to be concerned with identity theft rather than malicious destruction (I don't have computer-controlled centrifuges for enriching uranium :)).

I really don't think this is necessary. Right now, she clicks on the FireFox icon when she wants to surf. With the VM, she'll click on the "Start" icon in Fences box with her name on it.

Whoa! Under no circumstances will I work in a VM. A lot of what I do is extremely CPU-intensive (that's why I bought my Uber Laptoppenstein). I'm not going to take a performance hit in the interest of perfect security (which, we all agree I think, is an oxymoron anyway).

That's the point -- I don't want to "force" her into anything. She's not going to go through my machines, deleting software, changing user permissions, overwriting the MBR, or, for that matter, installing software of questionable provenance, etc. She is going to visit websites that sound interesting to her but, nonetheless, are malicious and will attempt to install malware, either as a drive-by or through social engineering. The VM handles that.

I think, though, that Windows Virtual PC will do the job -- why go to the trouble?

Perhaps that's true. I'm still uncomfortable with the idea.

I've been using Windows, in some form, since 3.1.1 (the lack of networking in 3.1 made it a non-starter for me). Of necessity, given all of the quirks, bugs and idiosyncrasies of the OS, I've learned enough about it to build and maintain my own machines which, themselves, have some rather arcane configurations given what I use them for. As I said, "Damn it, Jim! I'm a lawyer, not a software engineer!" :)

Well, it's a matter of principal. We have iPods because they're unique products -- no other MP3 players have 160 gig hard drives that let you take your entire music collection with you. Otherwise, there are no Apple products in this house, and there never will be, absent another similar entirely unique product.

Well, there's that money thing again (and the space thing). Also, though I've only mentioned it in passing, my primary computer has $800 near-field monitors and a subwoofer. If I was so inclined, I could mix and master studio-quality CDs with this system, and the CDs that I do mix and master are close enough to studio quality that only a true audiophile or audio engineer would be able to hear the difference. I once left a CD from one of the shows that I'm writing in our home theater system and Mrs. PTravel played it without realizing what it was. When I came home she told me that she didn't know I had recorded an album back when I was an actor. :) Mrs. PTravel is a jazz fan and likes to preview CDs that she buys on-line, and also to research performers we may want to go see live. There is absolutely no way that even a very good set of computer speakers is going to approach the quality of the near-fields, and Mrs. PTravel WILL notice the difference.

Oy. Remote Desktop, and other better variants, live VNC, are slow, slow, slow. I use VNC to control the thin clients on my network -- it's fine for them as all I do with them is check on the status of the programs they're running. I also use it to install updates on my media computer in the living room (and to shut it off in case my wife forgets to do so when she's watching NetFlix). If I had to use a remote solution for all my computing, it would drive me insane and, no doubt, would do the same for Mrs. PTravel (not to mention that she likes to looks a web-hosted videos).

All my wiring (and switches and router) is gigabit. However, video is simply too much data, particularly when there are other traffic-intensive applications running, e.g. the mirroring of the two NASes is done with a thin client-based backup program.

The only other machine she'd ever use is the media computer in the living room, and that runs over a 500 meg power-line link (which actually gives closer to 300 meg). It does work fine for Netflix and HBOgo, but I can't see her hunched over the coffee table trying to browse with it. She will NEVER touch my music computer -- that's my security system for THAT machine :) -- though it wouldn't be practical for her to do so, as it's set up with my (piano) keyboard and she'd have to sit at the piano bench to use it. There's a media computer in my bedroom (a retired laptop), the two thin clients that run the FTP server, the MagicJack phone server, the NAS mirroring and a couple of other things, my laptop, the laptop that I gave her, and another retired laptop that, if I ever get the damn thing configured, will run FreePBX. Most of the computers on my LAN are busy doing things on their own and aren't intended for users.

Chrome OS sounds interesting, only because I doubt there's much malware written for it. However, as I mentioned, I want to get my wife used to working in a more "office normal" computing environment.

I previously had VirtualBox installed on my primary machine though, at this moment, I don't why I installed it. Oh, wait, I do remember. I have a couple of HP Touchpads with cyanogenmod Android installed on them. The initial install required installing the HP SDK on my computer and that, in turn, required VirtualBox.

I can, but the differences are enough that it would confuse Mrs. PTravel. She's very resistant to learning the underlying concepts -- she just wants to do what she does and doesn't care how the computer does it.

On this, I must disagree. I work in Word every single working day, and I'm familiar with the free alternatives. Though, for the most part, they're reasonable substitutes for Word, there are enough differences that make them impractical in a law office environment. As you noted, even just moving up through the various Word versions is painful enough (what in the world is Microsoft thinking, anyway?).

I need very tight integration between Acrobat and Word, as well as with Excel and, to a lesser extent, PowerPoint. There's simply no way around Word at this point.

It's easy enough to restore the VM from the backup. She's going to get malware as long as she keeps visiting Chinese sites.

That's what I think, too. Why would a hacker (or Russian syndicate) go to the trouble?

I have one machine on which I installed Win8, just to see what it was. Though I have it configured to boot into "classic" Win7 mode, and use that app, the name of which escapes me at the moment, that restores the Start button, and it DOES run pretty quick on the wimpy netbook on which I installed it, I have absolutely no plans to upgrade any of my machines to Win8, which offers no significant advantages to me at all.

Have you seen the pictures of the Oklahoma tornado damage? :)

I maintain that your best bet is to put Ubuntu Linux (very user friendly and easy to install - easier than installing Windows) on that old Pentium machine, and put that on its own VLAN. She can use your existing monitor that she likes if you buy a cheap KVM switch.

You can install a fully functioning Ubuntu VM in Windows to check it out - go to ubuntu.com and download the installer. It shows up in Windows as just another program that you can uninstall in the Programs control panel. Ubuntu comes with Firefox (Chrome is also available) and a fully functioning LibreOffice suite that is compatible with MS Office. It also comes with games, media programs, and the like. Don't worry about DRM and such - install Ubuntu and see for yourself if it works.

If you really like the idea of a Windows VM, go for it. But I think it can be a bit of a hassle to set up.

Also, I'd suggest she start using Chrome instead of Firefox. Chrome is generally considered the most secure browser.

See, from my perspective, the earlier steps are quite a great deal more basic than the step of running her stuff in a VM. Your opinion clearly varies, and I'm not going to belabor the points about separate logins, UAC, etc.

Speaking of which, if something written for teens isn't going to be too bothersome for her, you might download this free book from Microsoft and see if she finds it useful: http://www.microsoft.com/en-us/downl...s.aspx?id=1522

I wasn't suggesting you would today; you made that quite clear already, hence the use of the subjunctive.

I don't know if it would make as big a difference as you think, though -- CPU/Memory is the one area where running in a VM has little to no impact on modern hardware since the virtualization is almost all handled automatically by hardware inside the CPU cores... especially in the case if you are the only VM running/active. I/O impacts are trickier, and if your audio includes any live recording/analog-to-digital conversion, that's particularly tricky since some of the I/O latency can get very unpredictable (I was reading recently about folks doing pro audio stuff turning off both turbo and power-saving features because of interrupt/DPC latency... at the point you're doing that, virtualization is a non-starter for sure.)

I don't know that it has the tools to do any reasonable network isolation, or how it performs playing video; if it does both well, go for it.

VirtualBox has some good tools for flexible networking, so does VMWare Workstation. I'm not sure what Player has, or if the trick of setting up your options in a trial of Workstation still works. Both VirtualBox and VMWare have pretty good accelerated video driver support when running on a Windows host.

Sounds like you jumped on the networking bandwagon early, although 3.0 and 3.1 worked fine with Netware/LANtastic/MS LAN manager -- there was no native support in the GUI, but there were plenty of networking products for DOS, and by the later 3.1 days most of them had Windows add-ons.

(As an aside, as someone who's worked on both the IT and software engineering sides of the house, while I find them terribly bothersome, there are quite a lot of software engineers who don't know their head from their ... when it comes to the OS or the hardware they're running it on.)

Money, I get. Space, I still don't get; I'm not sure if you can't velcro 4.5"x4.5"x1.55" to the side of your current desktop how it gets adequate airflow :D If that really is too big, what about one of these: http://www.tomshardware.com/reviews/...view,3492.html

If, (and please note the use of the subjunctive here) you were to decide to go with a separate box, I have no doubt that you'd be able to figure out a way to wire the audio out from the smaller box for her either through your main PC or into some kind of mixing input such that she could use your speakers. :)

May well not be worth the trouble, depending on whether you can get adequate network isolation using virtualization.

Sadly, that's the same attitude that probably has lead to all the malware; I can't suggest how to get past it from a social/marital perspective, although I certainly wouldn't want to share a network, let alone individual machines, with someone like that.

I think that makes you a power user. :D

Fair enough, and if you need it, that means when she starts helping you with work, she does. It sounds like she's got a ways to go before she's useful at that; from my perspective, learning the basics on LibreOffice (etc) and then moving to Word wouldn't be the worst idea in the world, but YMMV, and for someone unwilling to learn the basic notion of "this is who you do stuff in general in a GUI" who's looking for "this is the magic incantation I don't understand that gets the machine to do X/Y/Z" then the differences would be frustrating.

I suspect that some combination of user education and better security measures on the machine itself would at least substantially decrease the frequency, but YMMV.

In its current incarnation, I agree. There are several apps which restore the start button/menu; Start8 is generally regarded as the best, and is a cheap commercial one (from StarDock, the same folks who do fences, which you also mentioned.) ClassicShell is the best of the free ones.

While VMs don't have decent graphics the CPU performance is pretty good.

GPU passthrough means you've got the full GPU power of the machine. Well, once it's working; it's a bear to get working in Xen, and I can't imagine it's any easier with anything else (barring Hyper-V, maybe, in an all-Windows environment.)

Not that I'd recommend it to PTravel, but it's worth knowing about.

This is a fascinating thread though I suspect there is a learning curve in setting up VMs, especially with VLAN tags as some have suggested. For a use case where the applications will be very few, even say just a browser, do people have any experience with a simpler sandbox implementation such as Sandboxie?

Thanks.

VLAN tagging has quite a learning curve, yes. I just physically segregate my network into a trusted and an untrusted section.

Just setting up VMs is dead easy; the simplest untrusted VM, and a very good one is to just run a Linux LiveCD (take your pick; pretty much every distro now makes one), point VirtualBox or your choice of virtualization apps at the CD with all the defaults turned on, and you're up and running.

If people want, I can post some screenshots as a how-to.

Setting up a basic Windows VM is pretty much the same except you then have to run through the Windows setup steps, and probably load a video driver afterwards...in general, there's a menu item in the UI to "Load [VMWare/Virtualbox/etc] Tools" which mounts a CD image, and then you just go through that and reboot it.

I've used chroot jails under Linux (and run stuff I really didn't trust ... like software key generators ... under WINE rather than real Windows) before, but never anything else like that under Windows. I was unaware of Sandboxie until you mentioned it.

Funny - I think the Windows VM's are the ones that just work. Install OS, install VM tools, and it works!

I always ended up deleting my Linux VM's because I could never get them to work to my satisfaction. Namely, the desktop resizing feature. As I resize my VM window, the windows guests all resize their desktop to 100% of the allicated space in the host window when guest resizing is turned on. Do you know how to make this work with VMware on Linux? Every time I sized the window to some size other than what it was when the VM booted up, I would end up having to use scroll bars all over the place and it was just darn annoying (because I frequently switch back and forth between a "windowed" mode and a "full screen" mode). Click menu, use scroll bar, find window, use application, use scroll bar, find menu again, use scroll bar, find bottom of screen, use something down there, use scroll bar, resize windows to fit within the host window.... Like many things in Linux, I'm sure it's possible if anyone could just find a setting in there. But I am not a Linux guy and don't pretend to be, though, so perhaps you could point me in the right direction for where to find that.

Linux is not really one OS in that sense, because of the choice of desktop environments... and the proliferation of different versions of the standard stuff across distributions.

With a modern version of X.org and a modern (Gnome 3, KDE 4, etc) desktop + the VMWare video drivers (should be integrated into most non-Debian-based* and desktop-oriented distros), it should "just work."

(* the Debian "open source at all costs" philosophy, which is sadly baked into Ubuntu, means I think they may not be in either Debian or Ubuntu, unless VMWare has open-sourced their video drives... which they may have.)

I haven't used VMWare in a couple of years, so beyond that vagueness, I can't be as much help as I'd like. I can confirm that with VirtualBox and the three liveCDs I happen to have ISOs of sitting on my hard drive:
- OpenSUSE 12.2 ( openSUSE-12.2-KDE-LiveCD-i686.iso ) just works with VM screen resizing out of the box
- archlinux-2013.02.01-dual.iso doesn't have a GUI on the LiveCD (I'm guessing that was intended to do an install. I'm not sure when I was messing with it!)
- systemrescuecd-x86-3.4.2.iso does not work with VM screen resizing out of the box -- I get scroll bars if I resize manually (although VirtualBox resizes the window properly when I change the resolution from within the VM)... not sure if this is a driver issue, or an Xfce issue, since it uses that very basic desktop environment.

With a more conservative, less desktop-friendly distribution like Arch or Gentoo or a more conservative one like RHEL/CentOS or an open-source only one like Ubunto/Debian, assuming a modern version of X and a modern desktop(*) it should just be a matter of running the VMWare tools installer off the CD image (or in the case of Ubuntu, there's probably an installable copy in the non-open-source repository, which it may offer you automatically after the first boot -- ISTR that's what it did for the closed-source Nvidia drivers for me when I was messing with it.)

(* again, Gnome 3 or KDE 4... I generally recommend KDE to Windows people, as it feels a lot like Windows to me whereas Gnome 3 is weirder; maybe more OS X like but not like the old Macs I knew or Gnome 2 which was very Mac-like)

i think Oracle VM VirtualBox or VMWare is SAFER than Windows Virtual PC.