Windows 7 allows 2 types of user accounts to be created; The Standard (Limited) account and the Administrator account. Another type of account, called the Guest account, is also created on a new Windows 7 installation, though disabled.
The basic features of these accounts are listed below;
A guest account allows people to have temporary access to your computer. People using the guest account can’t install software, hardware, or change settings. While the default “Guest” account cannot be password protected, an existing user account made into only a guest account using an option below can have a password.It is recommended you leave this account disabled on your PC.
Standard user (Users)
The standard account can help protect your computer by preventing users from making changes that affect the system or other users. If a standard user wants to do something that affects the system or other users, they will get a User Account Control (UAC) prompt to provide an administrator password before being allowed to do so. If UAC is not turned on, then the standard user will not be allowed to do so.
Administrators have complete access to the computer and can make any desired changes. To help make the computer more secure, administrators may get a UAC prompt, if UAC is turned on, to give confirmation before being allowed to make changes that affect the system or other users.
Most people tend to use an administrator account as it is the default account type created with any Windows OS installation, which means that every application that they run has complete access to the system.
Therein lies the problem.
If you create a standard user account in Windows 7, and then use that account as your every day account, you will restrict applications from making changes to important directories, such as the Windows and Program Files directories.
If you are logged in as an administrator account, then any program that is run while logged in are run with the permissions of the administrator account. This means that the program has unrestricted access to your computer, including all files and folders.
With a standard user account, specific settings that affect all users, such as global settings, common directories such as Windows and Program Files can’t be changed. This also means that a program run under a standard user account will also be restricted by the account. This is a good reason why you should use a standard user account instead of an administrative account.
If you would like to install software, or setup a device, Windows 7 will prompt you for the administrator password before continuing. You don’t need to logout and login as an administrator to perform such actions, you simply provide the password in the dialog that appears.
You can also run programs under the administrator account by right-clicking the file to run and select “Run as administrator” from the context menu.
Me think that Windows should take a cue from Linux OS where access to the Administrator account, called root access in Linux parlance, should only be on a need basis. I strongly suggest that Windows should make the Limited User account type the default for any Windows installation.
Limited user accounts will stop or deter most of the ‘unpatched’ exploits against windows.This alone protects the windows from many unknown exploits or exploits yet to fixed. It will stop ‘garden variety’ types of spyware/adware/cool web search wares or unwanted changes to Windows itself and the browsers and the personal settings. In summary, It will also stop a good number of viruses or malwares without the need of any antivirus software.
Why only some – because any virus/worms or trojans that literally destroys windows files and the file system of the hdd will not be protected by the limited account alone. Some viruses/worms/trojans are extremely destructive and will simply destroy everything after they have stolen and relayed all personal data/passwords and personal or private details.
Also, some rootkits do not install when windows is active as the limited account and instead hide in memory waiting for the windows shutdown to finally install, thus avoiding windows protection. Once installed, they are running at the next windows boot, and running with a limited user account.
Lastly, most threats via emails would be defused by a Limited user account. Obviously a bat or com file would not do any damage, but some nasty virus could do some serious damage.
However, to make your Windows OS installation near impregnable, partnered with a limited user account, you must use a full time resdient antivirus to catch any active virus/worms/trojans and malware.