giis2:I'm devloping a process control system that consists of a Windows Vista PC combined with a Windows XP machine
Providing a solution which might be used extensively on client operating system may not be the best idea... Apart from IIS, server OS provide more amount of robustness when compared to client OS.
giis2:
We don't use Windows Update; we want a very stable system for our customer(s) without reboots.
I would not agree with that ... Windows update can be managed by various methods ... and honestly not all of them require a reboot ... Secondly, Windows update happens only for the components that are currently installed on your machine and you have a choice of selecting the one's you require and the one's you dont. I would also not agree that by "Stable" you mean your system is reboot just once a year...
giis2: What are the risks of attaching a machine, containing an IIS/ASP.NET application that is not maintained at a daily basis, to the internet? For instance, what is the chance of being hacked into, so that others can control the machine?
Depends on how much you are in control of your machines... IIS/ASP.Net are "stable" independent platforms. By stable here I mean "Extensibility", "Scalability", "Productivity" and "Security". Again you need to understand that at the end of the day IIS processes(w3wp.exe) run user code... so it depends on how "secure" the user code is. If there is a loop hole at that point then there is really no point whether you update or don't update your machines...
Hope this answers your question.
Regards,
MA Khan
http://www.iisworkstation.com“Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”