User Account Control
Here's the challenge for Windows administrators: your users have the ability to do too much with their computers. But that's a rather nebulous description, isn't it? What's too much? Too much, at least to an operating system, can encompass many things, including (inadvertently, of course) rendering a system all but inoperable by either deleting some crucial file or executing some program or script that tells the computer to do something you don't want it to do.
Why does this happen? Because in the past, most accounts ended up with administrative rights. In Windows XP, all accounts have rights as local administrators. The XP Setup Wizard is kind enough to place all users in the local administrators group.
This means that all XP users, by default, have the ability to:
Read, write, and execute permissions over every single file, including Windows system files.
Exercise all Windows rights (including, for example, the right to take ownership of a file and then change permissions at will).
Other accounts in Windows XP were standard user accounts, which had much more limited privileges over the computer. Too limited for a lot of companies, in fact. For example, a standard user account in Windows XP could not install applications, creating many a headache for the end user trying to get that "mission-critical" Active-X control installed in his browser.
But no more. Now, Vista introduces User Account Control, making it easier for companies to limit the rights of the average ...