Darren Canavor, Program Manager on the UAC team has made a post on the Windows Vista Security blog about changes to the behavior of the built-in Administrator account:
“In Windows Vista we made numerous changes to our user account model. Standard users are now the default user type for new accounts created after initial setup. The Power Users group is effectively deprecated. In addition, we’ve made it much easier to run as a standard user and even administrators run with limited Windows privileges and user rights by default. But people often ask us, “What about the built-in administrator account? Isn’t it a security risk to have an administrator account with no password?” Yes, in some cases this administrator account could be used to circumvent other security mechanisms. For example, parental controls could not be effective if the child could simply login with the built-in administrator account and do whatever they want, including disabling the Parental Controls. In Windows Vista RC1 we will have completed a series of changes to disable the built in administrator account under most circumstances. These changes apply to the default administrator account named Administrator, which is created during setup.”See full post at http://blogs.msdn.com/windowsvistasecurity.