The Best way to set up Vista

Many months ago, I was asked for recommendation to set up a brand new Vista machine to provide maximum security protection. I subsequently discovered that my recommendation earns the 'Best' rating by Jesper M. Jphansson in his article "The Long-Term Impact of User Account Control".

Here are the ratings for various set up (figure 2):

Protection Level	Elevation Method
Worse	Turn off UAC.
Bad	Automatically elevate administrators.
Good	Run in admin-approval mode.
Better	Run as standard user and elevate to a separate admin account.
Best	Run as standard user and switch user to a separate admin account instead of using UAC to elevate.

The default set up is to rely on AAM (Admin-Approval Mode) and that only earns a 'Good' rating. Jesper explains why this is not as good as using a separate account:

This lessens the risk of a poisoning attack, where a malicious non-elevated application poisons the user environment for an elevated one, but it does not necessarily remove the ability of a non-elevated application to control an elevated one.