The main difference was that when I installed Windows, I had to do it twice. I neglected to disconnect the network cable, and before I had Windows properly installed, the computer was infected with Nimda.

Very strange. I've installed most versions of Windows at one time or another, most of them many times and on a variety of machines, but I've never had any of them initiate a connection to the network. Indeed, I don't recall ever having used a version of Windows that would allow me to connect to the internet until it (Windows itself), was fully installed such that I could (and had to), then install/configure the software required to connect to my choice of ISP.

It's only at that point, when installing or configuring the software for an ISP, either from CD or pre-installed by the hardware vendor, that the system becomes connectable, and therefore vulnerable.

It's hardly the fault of the OS vendor, if the ISP/hardware vendor supplied Internet connection software doesn't pre-install appropriate safeguards to protect the machine once it is connected. It is pretty much par for the course for MS to get blamed for the inadaquacies of these third parties.

I'm not for one moment suggesting that MS do not carry a burden of responsibility. If they would set up their OEM distributions configured for maximum security--ie. disable about half of the services that are enabled and open by default--then far fewer exposures would result. But not all exposures are as a result of MS action or inaction, and attributing them all to MS without considering the other parties involved in the distribution and configuration chain just clouds the issues.

You made an interesting comment about your sister's experience: ... She had you to help her out with this vital process. Without your expertise, I suspect that she might have had security problems.

Agreed, but again I'll point the finger at the hardware vendor who tailored the OEM installation of XP that came on her machine. They completely re-configured the OS; custom backgrounds; help facilties; machine specific utilities and extensions. They added a gob-load of 3rd part software packages; including 3 or 4 "sign-up on first use" Internet connections. She chose to use one of these when she first got the machine. Despite all the configurations they made, they failed to set the machine up with a firewall. They didn't even enable the XP built in firewall. Inadaquate as it may be, it would have been better than nothing. Who do you blame here?

Of course, MS could have enabled the firewall from the get go, but then 2 dozen firewall vendors would be launching law suites against them for "bundling" software with the machine and encroaching upon their marketplace. Sound familiar?

As I understand it, if you install Linux, you are still responsible for obtaining and installing a firewall, and will be vulnerable, until you do. I've no idea how you go about configuring Linux to connect to the internet (via dialup); whether you just type a command and enter the phone number and password; or whether you need to install some additional software first. The OS cannot come pre-configured for your ISP.

Either way, if you take those steps and then connect without having installed/configured/enabled a firewall (IPTables?), then you would also be vulnerable. Less likely to get found and exploited by virtue of obscurity--there are less dirtbags out there searching for and exploiting Linux vulnerabilities; at least so far--but still vulnerable.

And if you use (say) Firefox, then you are still responsible for keeping up to date on the fixes to it's vulnerabilities. Like the 21 recently discovered. The same is true for other browsers.