On a fresh install of Win7 with SP1 integrated, I do the .Net security updates first, followed by the other security updates, followed by SP1 (if still offered), followed by IE11.
Then do more Windows Updates for security patches.
I don't do the non-security "update" patches, too much telemetry and GWX crap, don't need it.
Edit: Oh, and when doing the installation, ALWAYS choose to not do updates. Then the first time that you go to Windows Update, select "do not install updates". This will shut off auto-update, but still let you update manually.
NEVER use auto-update.