I've been working towards migrating my end-users away from belonging to the local administrators group. I've said to hell with UAC - I only want standard accounts running. This has already protected one system where an individual clicked a malicious email link. I have been finding ways to allow programs to run that would normally require admin level privileges, but I'm still uncertain of just how safe my systems are.
I believe a piece of malware could still log keystrokes, delete user's data files, and try to compromise\crash other software to elevate privilege. A standard user account could still run a stand-alone executable such as a cryptovirus but would be limited to altering data that their account has write permission on.
My question then is, just how secure is a fully patched Windows 7 system if end-users do not hold admin rights?
Thank you in advance for any insight.