Use Windows only if you have to - Schneier ( who has to)
Lots of good advice.
He recommends deleting cmd.exe and command.com. I'm curious about the cost/benefit of that (how many apps break vs. how much malware it stops), and whether just renaming would work.
He also doesn't mention password hashing, though for websites. Is that an oversight or is there something wrong with just a passphrase?