From supporting the public computer labs on campus we’ve learned that the best way to secure Windows is to run with a limited account. This, however, isn’t always possible. Here are few approaches to combating the situation:
1) Automate patching of Windows. Antivirus and antimalware cannot keep up with the malware makers. Antivirus and antimalware are important, but patching is equally important.
2) Automate patching of critical apps (this would include web browsers and any web browser plugins, office software, and sadly, pdf reading software). Secunia has their PSI tool that should be run after system imaging to determine if any other apps need a patch. Packing updates for critical apps, keeping the packages in a common location, updating them regularly, and making the deployment part of the imaging process.
3) Drop the rights of critical apps. This involves sandboxing or changing the permissions of web browsers, etc. Two useful tools: Sandboxie, DropMyRights (from Microsoft).