In an attempt to make Windows 7 generate fewer UAC (User Account Control) prompts Microsoft has neutered the mechanism to the point where it’s next to useless. Here’s Long Zheng’s take on the issue: The Achilles’ heel of this system is that changing UAC is also considered a “change to Windows settings”, coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely. Now you might not think that this is all that important since this setting cannot be changed unless the user chooses to do so. Wrong. With the help of my developer side-kick Rafael Rivera, we came up with a fully functional proof-of-concept in VBScript (would be just as easy in C++ EXE) to do that - emulate a few keyboard inputs - without prompting UAC. You can download and try it out for yourself here, but bear in mind it actually does disable UAC. Fortunately, there’s a simple workaround: Until when Microsoft decides to fix this, if they do at all, beta users of Windows 7 can also apply a simple fix. Changing the UAC policy to “Always Notify” will force Windows 7 to notify you even if UAC settings change. Annoying, but safe. source: blogs.zdnet.com
This story is half right and half wrong. I mean yeah it can compromise a system, but everyone and their brother bitched that UAC was too restrictive. Now it behaves much like OS X only prompting for things that need to run elevated. It's not Microsoft's job or fault to sit here and educate people on how not to be stupid. If you have shady or crappy surfing habits then it is on you. If I know I am going to go to a site that is not reputable or if I am going to go surfing for porn then I use firefox. I also don't use crappy AV programs that sit there and give you a false positive on everything. Bottom line is that if you expose yourself to malware then it is your own fault. No controls are going to be able to stop stupidity.