I stole this idea from Linux, although I haven't seen anyone else implement it in Windows yet. I recursively removed all executable bits for the owner from the ACL on all files in the user's home directory (this includes groups that user belongs to). Mind you all the user would have to do is add it back, they do have the right to. The idea is that the user can't accidently ever click on an executable in their documents, on their desktop, or in the mail. This system doesn't affect word documents, shortcuts, or anything else since Windows uses the file extension to decide which program is used to open it. Since only the home directory has no default executable permission the only thing that won't run is install programs or standalone apps. I use this system and you wouldn't even know it's there. The only time I need to run an executable in my home directory is when I'm installing something. I just use run as to elevate my privledges anyway, since I run as a user account, and since only the owner has no executable set, I don't even need to change the ACL. This might even stop some trojans from running which attach themselves to something else, like a jpeg or a word document. I'm not sure.