Soda:
I _knew_ I should have explained that further... :p
The vast majority of the time the Power Users group is used is when an admin grants such rights to the user of a specific box. Therefore, in almost _all_ cases the user has physical access to the box with it's associated and inherent security risks.
I understand that physical access _isn't_ required _but_ whether the access is local or remote there is still the issue that the admin "trusted" the user or that the user has already elevated his privs.
I believe, though I have to admit to never having actually testing it, that my policy of forcing the replacement of all permissions down through the system drive with permissions for only the Administrators group and the Local System immediately after a system has been installed goes a long way to mitigating many of these issues... But it also removes many of the "advantages" of the Power Users group.
I have never liked this group and have rarely authorized elevating a user to this level. I have always preferred to use Filemon to determine what access is required to which files and grant them specifically. Though I will admit that this can be a huge pain in the a$$...
