The users tend to be less tech savvy than Linux users so they tend to not have adblockers and or allow arbitrary JavaScript from any page to run and or they are running trojanized software because the uploader was “trusted”.

Due to market share they are the biggest target.

Untrusted devices should be on an isolated subnet or if you have the time only devices that need to talk to each other should be on the same subnet.

In general, a compromised system may be running any software the attacker might find useful, including, but not limited to:

• keyloggers to find passwords that are in use in the company
• software to copy sensitive files to a remote server
• software to encrypt the system itself or (if the computer has access to other machines on the network) other computers
• produce documents (think, mail) that purport to have been created by the user of the corrupted machine.