Jim Allchin has a great post over on the Vista Team's blog about the tradeoffs and choices made in terms of all the new Vista security features such as User Account Control (UAC) and Data Execution Prevention (DEP). He really drills into the importance of those feaures but also the importance of not making them so cumbersome that users turn them off. Also remember that these design choices will end up effecting hundreds of millions of users over Vista's lifetime and you can see the importance of seemingly small decisions like "should we really prompt the user when he tries to change x, y, or z?". Also you can see from his post that there was quite a bit of feedback from beta testers and customers that was taken into account and did result in changes.