Your users should never have administrative rights on their workstations. But many Admins are administrators of their local system, and are obviously running with elevated permissions when they log onto servers.
You should never cruise the internet on a server. But you may need to go to Windows Update, or to vendor sites for drivers. The problem is that even trusted sites may become compromised. If you are on the internet with elevated rights, any malware that hits you will run with your elevated rights. Bad things can happen when a malware process runs as a domain admin.
Windows 2003’s attempt to harden IE is so annoying that it typically results in administrators turning it off. I wrote a command file and vbscript to address this problem. LowPrivIE.zip contains InstallIEShortcut.cmd, batchcreateshortcut.vbs and a readme.txt file. Unzip all files into a common folder and add a current version of psexec from SysInternals.com. (For more information on psexec, see my post at www.akaplan.com/?p=240.) Run the InstallIEShortcut command file to add a non-admin IE shortcut to the all users desktop of a local or remote computer. The shortcut uses psexec -l to create an instance of IE without administrator rights.
The batch file accepts a computer name as an argument, so you can use a FOR command to
run it against a list of computers. An example is in the readme file.