[bluGill]

I have said for 20 years now that Microsoft Word should have a check on startup, if the current user is administrator it should put up a message that administrators are not allowed to use a Word Process, login as someone else. This one change would solve a lot of problems.

Even on home machines where no user has a password, having to do something special to get into administrator mode will stop several attacks just because people will slow down and ask.

[codewench]

That's pretty much what Microsoft tried with the UAC prompts, and that was fairly universally disliked. Not that I disagree with you, running as admin by default is a terrible practice, but it's a tough sell to the general public

[Dalewyn]

Administrators can and should be able to do anything and everything, that is literally an administrator's job description.

Also, if you want to stop everyone from using administrator accounts, the simplest way is to not have the Windows installer/OOBE setup make an administrator account first.

Windows has a built-in Administrator account already not unlike Root in Linux, there is no reason (other than tradition and absolute convenience) the Windows installer/OOBE setup needs to make an administrator account for the user installing/setting up.

[Vogtinator]

Would that actually have a positive effect? Running malicious software in the only user's context can already cause maximum damage: https://xkcd.com/1200/

This would just result in more UAC prompts and thus annoyed users who get taught to click on "Allow" whenever a dialog pops up.