Quote:
and yet still get the protections that you would have had if you were logged in as a normal user


This is not quite accurate Tony. What's going on is this:

When you log in as a member of the local Administrators group, Vista generates two access tokens for you, rather than the usual one. There's the original, and one with all of the dangerous bits taken out.

All of your applications run under the restricted token, which means that they cannot get access to the extra rights in the token.

If a program requires administrative privileges, either because Vista makes a guess that it does (because it's called setup.exe, for example), or because it contains a manifest that says that it does, then you'll get the elevation prompt which asks you to press Continue. If you press Continue, then the application is run with the full-monty token.

Some asides here:
1. You can write your application to explicitly say "I don't need admin privilieges, so don't guess", or to say "I'll take admin privileges if they're available, but otherwise, don't worry about it".
2. You can configure Windows to ask for your password again, rather than just the "Continue" button.
3. As Tom points out, this prompt runs on the "secure desktop", but you can turn that off, too.

If, on the other hand, you log in as a normal user, then, if a program requires admin privilieges (same logic as above), you'll get a prompt asking for an administrative user name and password, and that process will run under a different user account, rather than the same user account with a different token.

It's actually a pretty good scheme, but I'm not going to say there are no holes in it.
_________________________
-- roger