The delineation of rights and sandbox in Windows?

The point is to prevent running programs from where has write access and allow launch where it is impossible to record.
1. To create a user in the Users group.
2. Further, the control Panel → administrative tools → software restriction Policies using programs → Additional rules. Add rules with the ban on drives C: and D: (if any), allow the Program Files, Windows, system32. Also you can prevent and stick.
3. For convenience, to be able to run programs on the labels of Designated file types (located in the Policies limited the use of programs) to remove the labels. There you can remove files from the forbidden fide help, etc.
\r
Install all the software you need to create policies. Tested on XP, on Seven don't know how it will work. With some problems may occur.

Guest + runas. Nothing unusual about that.

Just yesterday floated the question: http://habrahabr.ru/qa/4761/

hmm, in Windows 7, just don't disable the UAC and not download the exe from the mail and porn sites

a little on the subject was on habré habrahabr.ru/blogs/sysadm/97594/

Not sure what will suit you, but look in the direction of "sandbox", for example. Superuseful thing.

I'm afraid Windows will fail to configure as Windows — too many people wishing to break and too is the same code everywhere, which makes it easier to write exploits.
In addition vysheupomjanutye tips I recommend to install the 64-bit Windows 7. During the development of MS have implemented some additional obstacles in the path of hackers, together with a small prevalence while that is a good additional protection.