Although I asked Microsoft to brief me about planned changes to UAC several weeks in advance of this story, the company has not gotten back to me on that subject. As a result, my projection continues to be that Microsoft may well sacrifice user experience in the name of security. It's clear that Microsoft has heard the general outcry about UAC that appeared around the release of Vista Beta 2, and that changes will be made in the right direction. It's just not clear how far Microsoft will pull back or refine UAC.
The state of the protection mechanism in Vista Beta 2 is, in my opinion, unusable. Though the current beta fixed some UAC bugs that were in the February CTP (beta) release of Vista, the appearance of UAC dialogs increased in Beta 2, not diminished, as some other reports claim. If, for example, you attempt to delete a desktop shortcut icon for a program that was installed to all users on a Vista PC, when you attempt to drop that icon in the Recycle Bin, UAC will prompt you to confirm the deletion. And when you get done with that? Recycle Bin's default delete-confirmation setting will ask you to confirm it all over again.
There are many other such examples of Microsoft's UAC overkill in Vista Beta 2. The thinking is so over the top that not only most users, but many companies, would be forced to customize or turn off UAC, were Vista to ship this way. There would also be a vast increase in support calls for companies that backed into Vista without giving UAC a good deal of thought. UAC may sound like security nirvana to many IT pros, and it still might be a good thing, if implemented properly. But as it stands in Beta 2, UAC proves the old saw about getting too much of a good thing.
Thankfully, Microsoft makes it possible to customize User Account Control in the Local Security Policy module of the Administrative Tools (the same eight settings are also in the Group Policy Editor). In Vista Beta 2, the configuration options don't really offer a great way to soften UAC gracefully without defanging it too thoroughly. In a nutshell, Microsoft should define elevation prompts for different types of threats. It should also extend the option to only have to confirm an activity once per definable number of minutes or something like that to cut down on repetitive prompts. It's also possible to turn off UAC entirely in the User Accounts Control Panel, although that's not a good idea. In Vista Beta 2, UAC is configured by default to drive-you-crazy, full-tilt safety.
I'd like to see what the future and final versions of Vista bring before I form a final opinion about UAC.