longzheng said:

Long, the situation in Win7 is unchanged from Vista.  In Vista if you were running with UAC enabled, it was possible for an RCE vuln to gain administrative privileges on your desktop without you approving it.  In Win7 if you are running with UAC enabled it is posible for an RCE vuln to gain administrative privileges on your desktop without your approving it.

UAC was not a security boundary in Vista, it's not a security boundary in Win7.  This is an unpleasant truth but it's one that MSFT has been making for 3 years.  Our messaging on this issue hasn't changed over all this time.

I was incorrect in my comment above about UAC btw - it is a security feature.  It's just not a security boundary.  It's a convenience feature only, there simply are too many ways for malware to bypass it for it to be considered a defendable security boundary.

The only difference between Win7 and Vista is that on Win7 it is marginally easier for malware to auto-elevate.  But that any malware that exploits that "marginally easier" mechanism is trivial to defeat - just set your UAC defaults to be the same as they are for Vista.

The internet->local machine IS a defended security boundary both by Microsoft and 3rd parties.  And Microsoft actively defends that boundary - you know that because of the monthly security fixes that are issued by both Microsoft AND 3rd parties (think Adobe, Mozilla, Google and Apple) - these are all examples of those vendors patching holes in their applications to defend this boundary. 

The goal is that there be no way for malware to get on your machine without your permission, we're not there yet and we may never get there. 

The internet->local machine boundary IS a defendable boundary because the internet is (hopefully) sandboxed in a web browser thus there's a controllable interface between the two that can be defended (although it is VERY hard to defend this boundary due to the amount of code that runs in the browser). 

On the other hand, UAC/IL is NOT a defendable boundary (UAC as a feature is useless without IL) - there's simply too much shared state between applications running in the  same session to defend the boundary.  This is true for ALL graphical operating systems, btw - the instant you run an application at a higher level of privilege malware running in the lower privilege level can take over the higher level process.

As I've said before, there's only one safe configuration for both Windows AND *nix - run as a standard user and switch to an administrative user running in a different session whenever you need to perform an elevated operation.  Most users (of both *nix AND Windows) aren't willing to put up with that level of inconvenience.