It is almost inevitable that I will have to provide them with a Windows machine. The *nix alternative is too weird and too much could go wrong in their hands.
(1) I would lock them out of any significant changes. They would not be capable of getting escalated permission (to install or uninstall software, to use administrative tools, etc.) without a special* password.
(2) * I would come up with some means of rewriting the admin password using PRNG and a given sequence. Each time Admin permission is given for installation of some program or another, it would advance the sequence and re-write the Admin password. I would keep track of how many times this has been done and always know which bunch of pseudo-random characters it is currently. I would probably be on the phone with them for awhile because in some cases you have to escalate two or three times to get something installed or changed.
(3) A sub-Admin account would exist but with severely curtailed privileges. Where "Adminstrator group" permissions are given for services or privileges, I would remove "Administrator group" and replace it with the name of the fully-powered Admin account, and only add the name of the sub-Admin account where it's needed. They would regularly use this sub-Admin account instead of a regular user account. This way they could plug-and-play printers, change windows services (SOME of them) and so on without needing to call me up for the mystery password.
(4) All remote access services would be shut down. They would be entirely on their own, no remote desktop or remote help. If they somehow heard about remote desktop or remote help and wanted to do that, I would tell them too bad, that if they don't want a secure computer we can do a fresh re-install and they can have the complete out of the box experience and damn the torpedoes, but that I would no longer consult with them on that computer. That would change things, if not right away, then certainly when they are swamped with viruses and getting hijacked down the road.
(5) I would demand no outside consultancy, just like I do with any windows box I "secure". If somebody I've helped comes back to me complaining that they went to somebody else and now everything I did was undone again, I cut them loose. There are too many people posing as "computer geeks" who seem to enjoy installing anti-malware that's pure slowdown and kicks and screams to stay on the system, "speed up" and "doctor" apps that are known to be shady, and other massively market-hyped crap. Since insisting on no outside consultancy, I've significantly decreased my stress and workload by ridding myself of chronically repeat clients. In fact, I don't do street computer work any more, at all. It's not worth it. I would be doing my "parents" a serious favor at the cost of a lot of stress and hassle in my life.
(6) I have never been satisfied with the auto-update experience of most applications. I would have to choose software for them that I feel is secure enough not to need updating, and to leave it at that. Windows Update is bad enough, and they are already going to be screaming at me over the phone on those days when there's a serious patch and it's in the news and Microsoft's update service is running slow or haltingly for several days.
Alternately:
I would just install something like SUSE and a virtual machine running their precious Windows. I would get my "parents" a really expensive laptop, two sets of wi fi keyboards and mice, two wi fi monitors, and set them up with SUSE giving them two simultaneous but separate experiences inside their Windows virtual machines. It would take me for fucking ever and would be complicated as shit, and would be really expensive. Then since they would want persistent Windows experiences, Windows itself is still there to be a total complete headache nightmare. So why go the convoluted "matrix reality" style virtual machines in a linux box when they can still screw up their persistent albeit virtual Windows experience? Yes there'd be this nice safe layer of protection between what some hacker thinks they've broken into and what's really going on, but the "parents" would still be calling me up screaming because they screwed up. So I would *STILL* have to do everything I described above, and would *ALSO* have to do everything that entails running these two virtual machines from this SUSE laptop, securely, and feeding the output two separate ways to two separate wi-fi "dumb terminals". If I went the native Windows way, their computers would still be relatively fool-proof and tamper-proof, and the hardware would be much cheaper.
I would prefer the first choice, where I buy them two cheap laptops and install Windows 8.1 on them, and create a system with limited privilege admins and as few open ways for them or for others to hijack the machine as possible.