Thoroughly securing a shared workstation

Hi everyone.
I'm trying to secure a PC at work, which is used by several people for image acquisition and treatment. This PC is connected to the network in the lab.

Several months ago, when the whole setup was brand new, the PC didn't have any protection -at all-. This quickly resulted in an infection with a Brontok worm, which most probably came through an infected USB stick or via the network.
I was able to remove the infection thanks to the great people here at the malware forums, and I installed every protection I could (avast! for realtime scanning, Spybot and Spywareblaster for immunizing and scanning, MBAM and SAS for optional scanning, Comodo firewall). Somehow, the worm managed to reinfect the PC several weeks after my initial removal. We did everything we could to prevent this in the first place: USB-sticks were forbidden, I disabled autorun feature, AV's were up to date and scanned regularly, firewall was active, users only had access to a user account in Windows.

Currently, the PC is clean as far as the scanners can tell. But people still need to be able to retrieve their data from it so they can use it at their own desk. This will unavoidably lead to more infections.

The easiest solution of course would be to go scan every computer in the lab, but that brings with it a huge social networking problem (you can't even start to imagine) and also the fact that about 85% of the computers here are Macs...which, as far as I can tell, can still act as carrier for the virus, although it won't be active.

The only other solution is preventing reinfection on the station itself.
We would like to keep internet connectivity so as to keep the antivirus databases up to date without too much hassle, and to enable people to retrieve their data via the network. If it's not possible to prevent accidental infection this way, how can I effectively block anything from reaching the PC from the network without actually unplugging the cable ?

If retrieval through the network is not possible, people will need to use USB-sticks to do it. As stated before, I disabled autorun, but I'm not sure that that will prevent everything becoming active as soon as a key is plugged in. We could force the people to have their keys scanned before they use them to retrieve data, but I have to be sure that nothing gets active on the key before I get the chance to scan it. How do I do that ?

Thanks.

 

Well, as far as I'm concerned it gets unplugged. I don't care, except for the fact that it'll be me who will be sneakernetting software updates -since there is no dedicated person for IT purposes.

And in any case, if the damn thing isn't connected to the network, people will definitely be sticking all sorts of portable drives in every USB-port they can find, sooner rather than later resulting in another infection. This whole system (lightbox, camera, computer) cost 15000 euro, and is meant to be used by about 40 people if they need it to acquire images that can only be acquired once. After this, image analysis can (and has to) be done by software that can be run on any computer, so exporting the data from this workstation is inevitable.

 

I agree with everything you said. I'll explain the situation: we're talking about a lab at a university faculty in France.
First off, bureaucratic France, really bad organisation of anything you can imagine including IT. The faculty has IT staff to take care of the routers/servers/whathaveyou, but beyond that every lab just does what they feel like doing.

Furthermore, our lab consists of several research groups, all working a bit independant from one another. Due to social tensions, people from one group can't just go running up to other groups telling them they want to scan their computers. That would cause an outright Cold War.

So, our group bought this system, put it in the lab, and has to allow other groups to use it because otherwise they'd just refuse us access to their systems which we need for other applications.

So yes, it's a nightmare, and sometimes I'd love to start shouting because of it, but it wouldn't help.


I'll just put this idea out to my 'bosses': everyone who wants to use our system and retrieve data from it, will have their computers subjected to thourough scanning or be refused access.

 

Indeed, life would be much simpler.
Thanks for the advice and insights so far, I'll keep you updated.