I didn't mean to take the thread so far off-topic. But...
Erm.... hmph. If you say so.You must not know that much about Windows..
Alrighty then. Why don't you set \Program Files \windows and \windows\system32 read-only for all but the administrator and let us know how many applications still work, hmmm?If you can't set different NTFS permissions based on folders and volumes, then you really don't know anything about windows.
The tree is a jumbled mess that requires write access all over the system areas for non-privileged users. It's because Windows 2000 inherited a directory structure that was developed in the DOS/Win3.1 days before multiuser environments were ever put in place. They made a design choice to keep the old structure for backward compatibility, and that's fine. But a hatchet job on filesystem permissions is the price you pay for it.
Look... I'm not disavowing the virtues of AV scanners or firewalls. Anybody here who knows me knows that I believe strongly in those things. My only point is that for Microsoft to include them in a service pack that is supposed to boost security is like putting a Band-Aid on a gunshot wound. It's a nice thought, but it's not going to fix the basic problem. And it's just going to hurt companies that put out fine products that I'm pretty sure are more fully featured than anything Microsoft can come up with.
Anyway, enough said..... back to retirement.