One thing that sounds interesting here is the concept of the "Protected Administrator". The protected administrator allows you to login as an admin, but only applications that are blessed as administrative applications will run under an administrative token.
All others will run with least privilege.
Of course we should all be writing our non admin applications using LUA. But the protected administrator may make it possible for my Mom to run her applications safely.
Too bad this didn't make it into XP SP2 (Nice pop-up blocker BTW!).