In November 2004 I posted an article to MSDN entitled, "Browsing the Web and Reading E-mail Safely as an Administrator". The amount of positive commentary and feedback was staggering, which made me write the follow-up to this article a little faster than I had anticipated!
"Browsing the Web and Reading E-mail Safely as an Administrator, Part 2" goes one step further and outlines how you can use policy, rather than API calls, to force and application to run as a user, even if you are logged on as an admin. For example, you could mark you fave browser to always run as a user, regardless of whether it starts by invoking an URL on the desktop, a link in email, a newly spawned browser and so on.
Comments welcome. And thanks to all those who provided feedback on DropMyRights.