Mostly posting this here just to save this link for myself. This is a nice list of some of the more dangerous things users do online. This is not everything, but hits many points, in order of descending severity:
– Clicking on email attachments from unknown senders
– Installing unauthorized applications
– Turning off or disabling automated security tools
– Opening HTML or plain-text messages from unknown senders
– Surfing gambling, porn, or other legally-risky Websites
– Giving out passwords, tokens, or smart cards
– Random surfing of unknown, untrusted Websites
– Attaching to an unknown, untrustworthy WiFi network
– Filling out Web scripts, forms, or registration pages
– Participating in chat rooms or social networking sites
Somethings I would add: participating in P2P or IM services at work; not evaluating information that they send out via email whether their audience should be reading it or not; purchasing and installing random devices on their computers (ipod, wireless APs, mobile handhelds…); and the list can go on…