Avoid Using Accounts With Administrative Privileges: "A common issue in many organizations is the prevalence of users that run their laptop or desktop with administrative credentials. It is a best practice for all user accounts to be members of the Users group. Users should not be allowed to log in routinely using accounts that are members of the Administrators group. By enforcing this change, users will not be able to install unapproved software that may contain viruses or other types of potentially dangerous code.

Implementing this requirement may be challenging, but using Windows XP Professional with logo certified applications makes this easier. Applications that are not logo certified may not run correctly for users without administrative privileges. To find a list of logo certified applications, look for software labeled "Designed for Windows XP" on the Windows Catalog page of the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=22382."—Microsoft: Securing Windows XP