That’s why you don’t let your users have local admin privileges.
Small town departments aren’t bright enough to pay a consultant to come in for a week and streamline things to prevent accidents like this. And yes, limiting users to minimal privileges is in the top five things that ought to be done. I’d even lock down users to no more than thirty minutes a day of browsing.
That is a good not just for computers on a business network but also for your home PC. I have my computer set up (Windows 7) with an account for full administrator access rights but that requires a strong password to log into and I change it regularly and I never, ever, ever surf the net or even login as the admin unless absolutely necessary. For daily use including getting on the internet or checking my email, I log into a guest account set up with absolutely no admin rights and that log on requires a different log on password.
Anytime I get a request for a software update installation such as for Adobe or Java or try to download and or install a program or make any system setting changes, etc. while logged in as the non-admin guest, I will get prompted for the admin password.
This is of course not 100% foolproof I know, but it helps.