My question is why do the client machines (heck, even servers) need direct unfettered internet access? Block everything outbound, use a proxy and you have control of it - especially if you have a proxy that can intercept SSL and runs AV.

Also, assuming Windows, you can lock down exactly what software is allowed to run. Don't have admin rights? Can't modify what can run, can't install new software, can't run malware.

Straight away you're far more secure.

The first few weeks after I got a new car..

For a Windows XServer, try http://sourceforge.net/projects/xming/

Works great when I've needed it!

Why? Because that's where all the developers in the entire world are located?

2) The fine grained ACLs are good, but they often don't seem to work properly. On Win2k8 I've encountered cases where an account belongs to the Administrator's group but it somehow does not have enough permissions to rewrite/save a file that "full access" permissions to those in the Administrator's group. Why can't I open the file, change it and save it back? When I use that account to copy a file onto that file I get a "privilege escalation" prompt and if I "OK" it it overwrites the file. So the account is definitely in the Administrators group already...

It's UAC. If you're in the Administrators or Domain Admins group and have UAC turned on, you're not *really* in that group. If you start your editor by right clicking it and choose Run as Admin (receiving the UAC prompt), the editor is now running with Admin/Domain Admin credentials, so you can edit that file as you see fit.

Just double clicking the file opens it as a normal user, without either of those groups, which is why you can't save over the top of it. If this really annoys you, change the permissions so another group you're a member of has rights to it.

1) Add notepad, texteditor and hexeditor shortcuts to your SendTo folder. If you are unclear on where your SendTo folder is (because of roaming profiles or other weirdness), go to start, and run shell:sendto

I would add WinMerge to that as well - that's been useful a few times when exporting registry settings and the like.

4) notepad++ is often better than notepad :).

NotePad++ is ALWAYS better than Notepad! :)

but will we allow it to take over the wheel?

As I don't live in a country that's very sue-happy (yet, we're heading that way), yes! Please take the wheel! A snooze on the way to/from work would be excellent, thanks.

So what's to stop me registering your name/username on a site you don't already use, creating a key and uploading that? It's authenticating a person, but that person's not necessarily you.

With you on the banking example, but if they're asking an agency they trust, how is that any different to a third party/middle man?

Okay, how about Site X that you visit and enjoy (say, Slashdot? Youtube? Whatever!) implements authenticated comments only. How do they get your key to prove you're you? What about if you bought something from Asia/Europe/America - another country/region to yours - which requires it?

It's not just physical places that have this problem :)

So where do I get your key from?

for example in writing printer and scanner drivers

So they either didn't check what they had or just carried on buying any old random scanner or printer. That's not the best route for success..