Default security settings
For Windows XP, there are three fundamental levels of security granted to users. These are granted to end users through membership in the Users, Power Users, or Administrators groups.
The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users' data. However, user level permissions often do not allow the user to successfully run legacy applications. The members of the Users group are only guaranteed to be able to run programs which have been certified for Windows. For more information on the Certified for Windows Program, see the Microsoft Web site.
The Power Users group primarily provides backward compatibility for running non-certified applications. The default permissions allotted to this group allow this group's members to modify computerwide settings. If non-certified applications must be supported, then end users will need to be part of the Power Users group.
The Administrators group is provided to perform computer maintenance tasks. The default permissions allotted to this group allows complete control over the entire system. As a result, only trusted personnel should be members of this group.
By default, any user who logs on interactively is at least a member of the Users group. For computers that were upgraded from Windows NT 4.0, any user that logs on interactively is at least a member of the Power Users group.
Security Configuration Manager allows you to control membership of the Administrators (or any other group) with Restricted groups policy.