Slarty:

You are dead right.... Unless you are in a high security environment where you can control to the nth degree what programs may be run within it there are literally dozens of apps out there that require the user to be a local admin. Really they are simply badly written apps where the developer wrote it as admin with no knowledge of how to write it so that it could be run at a simple user level. While they can't get away with it in areas were competition for market share is rife they can, and do, in niche markets. I'm in one.... Non-profit... I see it all the time.... Apps the users need, and genuinely do help the organization, are written so they only run as local admin. There is either no competition against the chosen software or it is so bad that it pales to insignificance. On the bright side, social workers don't have "crackers" minds for the most part and those that are actually computer "savvy" stick out the first time myself or my staff talk to them. My staff are told to inform me if we encounter "talented" users so they can be watched.

In addition, regardless of the fact that csch claims he runs no software that can be exploited for admin rights (?), he is right in that all you can do is monitor carefully those users that are required to have local admin to run their apps. It doesn't mean they need their app on any box they go to, therefore they can be restricted to their own machine making monitoring easier.

Finally, as you clearly pointed out already, physical access + a little talent = owned box.