Quote:
In the registry, deny every user and system account write/modify permissions to the typical startup keys and spyware hiding places (even services?).
Deny every user and system account write/modify permissions to startup folders.
Write protect the host file and maybe even the local DNS cache....?


The problem still always comes down to the fact that people on Windows machines are logged in with the second highest privileged account possible, with only "SYSTEM" having more power.

Fixing it is as simple as not logging in as an administrator. The problem is that this isn't the default like it should be (and aparently will be finally in Longhorn). If your not logged in as an admin, everything above in the quote is addressed. As far as IE, well, it needs to just be scrapped period. No web page should ever be able to try and set itsself as a home page, no web page should download a plugin first, then ask if it needs to be installed, and so on.

Beyond that, it's just a matter of teaching people to not type in their password when prompted by the system if they didn't do anything that should have. My grandmother for example understands that she should only type in her password if the system has the specific system update program running. Other then that, she knows to click cancel. While no malware exists in the wild for OS X, she is ready if any ever does come out, since it will trip the system password prompt to do anything damaging.