So, plugging in a malicious USB storage device can not only execute malicious code, but can do it with elevated privileges.

Can it be done on a locked PC or must a user be actively logged in? I presume the former, as I don't believe the mounting process requires the PC to be unlocked.