The only way any OS Windows will ever be even close to secure is if Microsoft quits automatically giving superuser privilege to ALL user accounts by default, and instead making all new installation instances of Windows OS default to having an Admin account with superuser privilege and one or more limited-privilege accounts for the user(s) to do their daily work.
In addition, by default, NO .exe or .dll or other binary program should be executable in the context of any limited-privilege account, meaning that all binary software MUST first be installed from a superuser account for the system to use as a whole. It will also most likely be necessary to prevent even non-binary programs from running in the user-context without explicitly granting them permission.
That would solve about 99.999% of the malware problems and until that is done everything else is just adding additional ineffective security band-aids on top of a whole pile of other, older, ineffective security band-aids.
Furthermore, my experience with those piles of security band-aids is that malware finds a way around them every time, and then those “security” band-aids turn into major impediments for removing the malware. In other words, the security measures don’t block the malware, but does block the sys admin efforts.
“The only way any OS Windows will ever be even close to secure is if Microsoft quits automatically giving superuser privilege to ALL user accounts by default, and instead making all new installation instances of Windows OS default to having an Admin account with superuser privilege and one or more limited-privilege accounts for the user(s) to do their daily work.”
It doesn’t do that. It only forces you to set up one admin account when you first set up the machine. Any other users you add after that, whether they are manually added, or simply logged in through a network domain, default to standard users unless upgraded to an admin by another admin user.
The reason every user ends up an admin is because the standard users can’t do much of anything. They can’t install a printer, for example, or install an ActiveX control that you might need to work on some web app. So, people end up upgrading all users to admins just to avoid the hassles.
They need to stop having every program be required to be installed, and most should not even be allowed. Nor should any program be able to go modify setting for windows and everything else willy nilly. Right now every piece of crapware installs itself, adds a stupid toolbar, redirrects all your web use, and throws in some popups for a bonus. Plus it can decide to start itself when you turn on your computer, and often even override being disabled or removed.
It ought to be forbidden unless you click a lot of checkboxes from windows authorizing stuff to mess with other program’s private data and settings. If normal programs had no power to change settings or modify data except for their own, it wouldn’t be necessary to click through authorizing the install of everything with your admin password that it gets so common and routine that anyone could get tricked into allowing it, which is common now.
Is there a way to configure a W7 or W8 account like that?
Yup!