Well, after reading Aaron Margosis' blog, I decided to give running as a limited user at home another try... I'm used to running *Nixoid workstations in this manner of course and I've tried running this way on my Windows boxes on a couple of occasions in the past and had been dissatisfied with the experience: The first time, I had just clean installed my NT4 Workstation machine and ran for a few weeks as luser until my lovely wife put a stop to it because of the applications compatibility issues we saw with a bunch of applications she was attached to. The second time was a few years later on our Win2000 Pro machine that I had setup and operated for quite awhile as admin and when I tried to get our luser profile running by default, I ran into a maddening series of MSI issues with Office applications and other app-compat issues, not to mention getting fed up with having to logout\logon whenever I wanted to install apps or visit Windows Update.
This time however, was different: Following the guidance contained in this article for PCs that aren't domain joined, I took the XP SP2 Media Center PC that serves as our primary desktop at home and kept the renamed administrator account password protected, limited the permissions of our shared primary login, removed it's password, and created another admin account without a password. I had to make a few permissions tweaks to some files and directories to make Media Center happy among some other apps, but by and large it was truly painless this time. Switching to admin is a matter of hitting Win+L and clicking over to the "red desktop" and my wife hasn't squeaked once about anything not working as it did before.
So far it appears to be the most livable luser setup for Windows I've yet seen and I'll probably give this a try on our daughters' spyware server this next weekend :-) Actually, the Microsoft Anti-Spyware utility has been running for quite a while on their PC and giving it a clean bill of health, but my uncle was not so lucky. A few weeks ago, he called me up and asked me to drive up to his house up north and help him clean up his family PC. His teenage kids had been running Kazaa on it for P2P and the machine was literally possessed of virii, spyware, and trojan malware! Between the McAfee-identified virii (whose prompts my uncle had been ignoring because they were getting drowned out by the din of other pop-ups that were assailing him every time he logged on), and the Microsoft Anti-Spyware depth scans, more than 60 (yes, 60!) threats were identified and removed with apparent success! If I'd had more time to get into it, I would likely have clean-installed the machine just to be safe but it does appear to be in much better shape now. I went ahead and set his machine up as a luser box as well and he's been reporting that this is working well for him, though his kids have noted that their P2P apps tend to be much more unstable because their failed attempts to write to locations they shouldn't are apparently not being handled very gracefully ;-)
Responding to the Anti-Spyware product, it's amazing. I visited a friend who couldn't even get past the login because of the 1000's of emails being sent and Norton's inability to stop this distribution. I was shocked by the 30 or so threats, but the software did its job well I must say.
I'll say it was a dismal mess. He was directly connected to the broadband modem w/o Windows XP SP2 or the firewall enabled.
The most amazing thing was the firewall catching an incoming RPC call and notfiying us about it while I was there trying to get the trojans under control.
If only everyone ran under limited rights...
He's told me that the few weeks he has been on his own, the pc has been much more stable.
When I first got my new computer a couple years ago, my main account was an admin for the first month or so, then I reduced it to a limited user (I'm on XP home). When I did this, I actually wasn't as limited as a true limited user: I could delete stuff off of the All Users Start Menu, could modify stuff that I had installed in Program Files back when I was admin.
When I reinstalled Windows a few months ago with SP2, I did it right from the start. Now, my limited user is truly limited: can't delete stuff out of All Users start menu, can't modify Program Files at all. So, if you did the "reduce an existing admin account" method, it's actually not "truly" limited. But still much better than admin of course.
Jonathan - re still retaining "too much" power after going to Limited User - see my discussion of "Objects created while running with elevated privilege" here: http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx
I now recommend setting "Default owner..." to "Administrators group" right away.