It isn't directly related to Internet Explorer, but Mark Russinovich's Inside Windows7 User Account Control article over on TechNet provides an illuminating explanation of why UAC isn't a security boundary, but why it helps protect against malware anyway.

For IE8 on Win7, the change is that if the system detects that an ActiveX control install will require user-confirmation via the UAC prompt, the (redundant) Authenticode prompt is bypassed.