Conventional wisdom regarding Windows machines is to do all normal computing from a limited/standard user account, ostensibly to prevent malware from exploiting default administrator privileges. However, under Vista/Win7, even administrator accounts run with limited privileges by default, and will be prevented from performing any tasks that require administrator privileges, including running software located outside of designated locations if a software restriction policy is in place.
Therefore, it seems to me that for single-user machines (where you do not have to worry about errant users making unauthorized changes to the system), maintaining separate limited and administrator accounts serves no actual purpose. In short, I'm not aware of anything that can be done on a Win7 admin account that cannot be done on a limited user account without privilege escalation in both cases.
So, what am I missing?
Therefore, it seems to me that for single-user machines (where you do not have to worry about errant users making unauthorized changes to the system), maintaining separate limited and administrator accounts serves no actual purpose. In short, I'm not aware of anything that can be done on a Win7 admin account that cannot be done on a limited user account without privilege escalation in both cases.
So, what am I missing?