Originally Posted by chinaco
There is no such thing as a completely secure computer... unless it is turned off.
[edited out stuff here]
A better practice is to use a limited privilege account (or guest access privileges). Those accounts do not allow the user to install software (or attackers that try to take control during their logged in session). Of course, the user cannot install software themselves so they would need to log in the an admin level account for computer maintenance tasks. This is a hassle, but IMO a worthwhile trade-off of convenience for security.
This practice is not fool proof but it can foil certain types of attacks. There are other ways attackers can compromise a computer that is in use with a limited privilege account...
That computer you mention must also have the network cable disconnected, lest a magic packet be sent to wake the computer up
The limited account idea is very good. I admin a small business network distributed to 8 locations. Where the employees have re-infected their computers several times, I have installed new systems with limited accounts. The new systems are humming along with no internet games or specialized screen savers installed. The business manager asked for the admin password, as it was limiting for them. I refused, and then was asked by the operations manager for updated list of all passwords. I sent them, included my warning that the admin password must not be given to anyone. I expect service calls to double as a result of this.