Alex I did that with my own main machine at home. I didn’t do anything to users that I didn’t do to myself. It was no hassle. If you need to run a game and don’t know how to hack it to get it to run as a non-admin, or if that’s totally impossible just make another admin account and runas it in that. The most important thing is not to be using a web browser or email in an unsecured admin-privileged account. If all you do in that admin account is run your game and your game is not evil then where’s the harm.
I guarantee from ten years of personal use at home that if done right by someone with enough security config expertise, fully secured machines are zero hassle. They had to be because my clients[ users would be moaning otherwise but they never even knew there was anything unusual about their systems, not until they tried to do something highly suspect or made a bad mistake and got stopped.
It’s important to use a good email program and a filtered virus-scanned email service with attachment stripping so eg exes get stripped before they get to you. Although no harm will come to you on a fully secured system, as even if you receive a malicious exe and save it, you can’t run it. But a clueless user could email it to someone else which is not good at all. Don’t ever use webmail unless you have a scanned attachment-stripped email service. Use a proper email client such as outlook which blocks attachments and castrates html email.
I don’t know what firefox is like now but it used to be hopeless in security terms. Chrome showed promise but Microsoft browsers have always been light years ahead in security terms because of their sophisticated split-privilege/low privilege special architecture. Chrom may have this too. But unless you know a lot about security architectures stick to a Microsoft browser for safety given web browsing is the highest risk activity there is. With full SRP and file system ACKs hardened you will be ok even if the web browser’s security model fails though.
These are the pillars :
1. No users as admins, esp not yourself
2. File system ACLs hardened correctly
3. Draconian SRP done right
4. Delete all random directories below the root unless you absolutely need some for a badly behaved app. This simplifies SRP and filesystem rules and keeps them correct long term. Also have zero random files in root (comes under ACLs anyway). This latter rule is not 100% essential but not having it is the road to hell.
5. Patches patches patches / updates to Windows and all your apps
If you have a badly behaved app or a game say which won’t run under a standard user account and you can’t work out how to hack it even with expert help and tools, then run it within a VM and then problem over. Don’t spend days on it.
I hacked the application “SmartStamp” from the Royal Mail iirc, an app that prints out stamps, as it wouldn’t run under a standard user account - unforgivably for a business app. While doing so I found it introduced an enormous security hole into every machine it was running on. Any standard user could user SmartStamp to gain admin privilege and cause limitless havoc. I fixed this evil by modifying the cruddy thing suitably, getting a knife into it. I mention this because this annoying process of dealing with random badly behaved apps can sometimes be very revealing.
It’s not all about security. A well secured machine where you’re in charge not some horrid random apps’ quirks is one that is more reliable because apps can’t wreck it.
Aside from VMs, if you can afford it why not have two physical machines if you want one for gaming, and have another for work or a place where you keep your critical data, stuff that you don’t want to lose and on which you do ultra hi risk activities such as web browsing.
If you’re serious about security and don’t know how to do all these things get some help from a real expert professional, unfortunately these extremely rare, but if you shout, I am here for you.
You also need a fully secured wireless LAN, a proper firewall and a router that is not full of security holes/bugs. Don’t allow random or evil users on to your LAN be it wireless or wireful as their machines could attack lan infrastructure with scary results. If you need to have such users visit you, put them in another LAN or use VLANs - there are a variety of solutions. Help is available with this kind of network security design. It’s difficult to give guidance because some things depend on the capabilities of the kit that you’ve got.
Sorry it’s been such a rant, hope some of it might be useful. Did this for a living full-time for a decade until I became too ill. I did security config for many home users not just business customers as home users matter too.