I will be way in the minority, but I actually allow my users to have LOCAL Admin privileges. You can still use NTFS permissions to lock down folders.
I know it opens you up to downloads and viruses, etc. But, you can use group policy IF have Active Directory on a server. It just seemed like I was constantly having to Run As Administrator whether to troubleshoot, fix or work on the computer.
That's one opinion.
Now, everyone else will tell you not to.
