I just read the following line in an article in a security focues issue of NetworkLife magazine about novice computer users and firewalls:
A good rule of thumb: “If an alert occurs when users are launching any kind of Internet action, such as connecting to their mail servers, downloading programs, connecting to a Web server, or updating software, then they should accept it”
And to be honest, that has been the general consensus on this matter for pretty much ever. Unfortunately, while it is quite logical, it is not a very good rule of thumb. What happens when a piece of software, say their anti-virus app, tries to check for an update while the user is typing a paper? An alert pops up telling them that a program is trying to connect, and they think “hmmm, I’m just typing a paper; I didn’t initiate anything, so I’m supposed to block it”. They click Deny Access. The next day it tries to check while they’re playing Solitaire, so they click Deny Access again. The day after, it happens while they were in the bathroom, so they get tired of this and just click Deny Access And Remember. Now their anti-virus is never updated again.
The opposite can occur as well. They open an email and see a message from someone they don’t know and click the attachment to see the greeting card. An alert pops up telling them that a program is trying to access the Internet. They think “hmmm, I’m viewing email and I just clicked a Web-card, so it’s safe to allow it”. Now they are infected with a trojan and their zombie computer will begin sending out infected spam.
Truly, the best rule of thumb is to just educate the users in even a rudimentary fashion. If you go to the trouble of installing a firewall on grandma’s computer and telling her a rule of thumb as the above, then you may as well just give her a better, crash course instead.