I'll chime in and agree that removing admin rights from regular accounts is one of the best things you can do. The rest of the computer world has been doing it for 50 years or so; it's high time the Windows world joined in, too.
We started doing this when we started migrating from Win9X to 2000/XP. Best thing we ever did. The amount of trouble due to stupid things has dropped dramatically. Users can't screw up their own computers any more. We don't have "mystery software" -- no "so-and-so used to work here and had this program and now we need it but don't know where it is". No pollution of user PCs with crap from home or the Internet. The virus/malware problem is hugely mitigated by this alone. It's been some work, and it's often still a lot of work when we get a new application in. Fortunately, when someone thinks to ask IT before the sale, I can tell the vendor "fix your LUA bugs or we walk". Even for a small company like this, that gets results. Someone mentioned "he's a senior admin and I can't really justify not letting him have admin rights". I can't speak for the politics in a particular company, but where I work, nobody has admin rights for their regular account. Nobody. Not the owner, not the president, not me. I'm the IT Manager and half the IT department, and my regular user account has less access than a lot of other people. I know the passwords to the admin accounts, of course, but my regular account is a regular account. I strongly believe this should be the first tech improvement priority in any IT organization that isn't already there. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~