UAC (User Account Control) is probably the most welcome security update. A large portion of today's malware requires that the user executing the malware be logged in with administrative privileges. Unfortunately, for one reason or another, many of today's users are logged in as administrators all the time.

UAC will avoid that problem by running most programs in a more restricted context (actually, it's an expansion of the Restricted SID available in XP today), even when the user is an administrator. For example, if you are logged in as an administrator, your Internet Explorer session will still run as a non-admin user. To accomplish admin-level tasks, you'll be prompted to re-enter your password.

On a related note, a new privilege is being added so that non-admin users can adjust the system's time zone settings. This is a welcome addition for traveling users.

Microsoft's AntiSpyware software will be integrated into Windows Vista. This should prevent more malware from successfully deploying. And Registry redirection features will offer an extra layer of protection against malware, too: Legacy (pre-Vista) applications that expect to write directly to protected system Registry locations will instead be transparently redirected to virtual registries.

Vista also has Secure Startup. On Enterprise versions, this means the entire hard drive can be encrypted prior to boot, and the encryption key will be securely stored inside a Trusted Platform Module chip on the motherboard. Many of the methods used to circumvent permissions using NTFS-aware boot disks will no longer work.