The best security is to use a limited (i.e. normal user) account for day to day operations and use a second administrative account only for administrative functions.  Too often, I see that many admins are too lazy to do this.  The most common argument is that it's too much hassle or 90% of my day to day job is admin functions.  Fair enough.  Maybe 90% of your job is admin functions, but you can still do it securely and with relative ease.  Security isn’t a convenience, it’s a requirement.

Let’s first discuss why it is bad to run as admin.  When I refer to running with admin rights, I include both domain admin type privilege as well local computer admin privilege.  The local computer admin privilege is often overlooked, but is a huge security concern.  Local admin rights opens your computer up to root kits and other nasty malware to get easily installed.  Once the local computer is compromised, the next time a domain admin logs on or uses elevated rights with run as to that computer, your entire domain could get compromised.  So your day to day account should be a normal domain user and a normal local user.  A good rule of thumb is to never read email or surf the web with anything other than a normal user account.

So how do we make our lives easier as admins?   Vista and Windows 7 have the UAC, which I personally love, but for XP Run-As is the key.  I’ll admit it is quite the hassle.  Right clicking programs and selecting run as and entering a username and password every time isn’t convenient.   To make matters worse, CLSID based shortcuts don’t even allow you to use run as.  Another option is to use runas from the command prompt for each program or even create run-as shortcuts and just provide a password when you need to use them, but that is still a hassle. 

The best way I found to do this is to do a combination of the two.  I open a command prompt using run-as.  So my command window is running with admin rights and I leave the elevated command window opened whenever I’m logged on as a normal user.  Whenever I need a tool with admin rights, I just drag and drop the shortcut into the command window, or just type the tool command name into the command window and it’s running with admin rights.  After showing this technique to my fellow admins, they all started using it.

Using the technique had some downside as well, sometimes I would get my normal command windows and my admin command window mixed up.  The best solution for this is to set the color differently between the two windows.  So on the properties for the command window, I changed my admin colors to green on black, and left the defaults for my normal ID.  Ensure you set the option to Modify the shortcut that started this window when you save the changes.  Now I have a quick visual indication of my admin command window.

I hope this helps.