This post ( http://www.codinghorror.com/blog/archives/000491.html ) has some interesting ideas about the use of Virtual Machines as a software distribution format. It reminded me of something I tried to do last year in the quest for a safer browsing experience.
My experiment: using Virtual Machines for safer web browsing experience
Like many of my colleagues, I play the role of IT staff for my family and friends. After a long and frustrating session of cleaning a friend's machine from a spyware infection, I decided to explore ways I could prevent her from (1) easily getting infected and (2) mitigating the impact of an infection and (3) still providing her with easy and familiar browsing experience.
So, I created a small VM, installed Windows XP, and tried it myself for several days.
The results ...
General usability problems It's "clunky" to see two operating systems up. The ideal for the end-user should look perhaps more like a special browser, not an entirely different OS Downloading files in in the VM doesn't mean its easy or obvious how to access the files from the "real" OS. Security Your VM can get infected and could be a threat to your "real" machine or other machines in your home network. Instead of a single machine, now one has to be concerned with patching and running AV and getting updated AV signatures on two machines. This doesn't help with phishing attacks Licensing & cost Yes, one needs to purchase a separate license for the Windows OS being used on the VM. An Open Source OS with a free license is another alternative (but I believe would be an even more confusing end-user experience.) And one has to account for the cost of running AV on the VM also Recovery If you are infected you have to recover using undo disks or copying a safe version of the original virtual hard drive. That's a lot of end-user pain. The ideal might be some kind of very obvious "reset" button that restores the VM to a completely safe initial state (that of course then has to get the latest patches and AV signatures).
General usability problems
Security
Licensing & cost
Recovery
My conclusion
Ultimately, I didn't consider this a success. I felt the experience would be more confusing to the end-users and it wouldn't reduce the time that *I* would spend supporting my friends and family. Also, with regard to the phishing attacks, it's still a very incomplete solution.
There's probably more to be learned from the the approach of providing small, role-based VMs but it's going to have to be more seamless, easy-to-manage, and more secure.
Links
Check out this "Browser Appliance": http://www.vmware.com/vmtn/vm/browserapp.html