No, Dana, you're completely right. I keep having to tell people here that developers don't actually need to be administrators, because they're not actually doing anything administrative, and nor are their applications.
My take is that most lines of code are never run by anyone other than the developer until they reach the user. As a result, if the developer is an administrator, then so must the user. If we want the user to be non-administrator, then the developer must also be non-administrator. Testing and QA isn't sufficient.

I third that emotion. There is no excuse for this.

I just obtained a consumer product, a Microsoft LifeCam. I elevated my user account to administrator and installed it there, ran it a while to get through all of the setup that might require firewall permissions (there were some, including wanting to download a software update), and restored my user account to limited user.

Before I lowered my privileges I also moved anything in the all users account to my personal, ordinary-user profile.

And, everytime I log into my administrator account, the bloody webcam software pops up to take me through the setup. I don't want the camera there -- I only do administration in the administrator account. And I can't find where it is being triggered to shut the silly thing off.

This is getting discouraging.

The funny thing is, I installed a Logitech webcam on my wife's new Media Center PC and I got it to behave properly there without much difficulty. I was impressed by her enthusiasm for it and figured that it would be cool to get a Microsoft webcam for my system. The Logitech operability is better. (I was avoiding them because I have become tired of their nag screens and use of adware. Now I have to reconsider.)

On-Target and timely. Over 20 years ago, I developed applications on a Digital VMS (OpenVMS) system.

The concept was simple, write code without privileges; it'll run without privileges.

When necessary, mechanisms existed for enabling code to run with privileges - without giving this privileges to users. When a process did need privileges the SysAdmin had to grant those rights and configure the application to run with them.

Shared libraries (like DLLs) were controlled as well. Libraries had to be installed by the SysAdmin; not by every user on the system.

Systems stayed up for Months and Years - not days. When an application failed it didn't take down the entire system (unless it was REALLY poorly written and installed with privileges - I wrote a few...)

The concept is not new - it has decades of real life practical experience. But the model depended on a OS that facilitated these capabilities.

I disagree - the model depends not just on an OS that facilitates the capabilities, but also on a culture that lives it.
After all, NT was designed by the same guy from digital who did much of the Vax design work. That's why a lot of its concepts are similar.
But there was an uphill struggle based on the presence of so many Windows 3.1-era tools that assumed first that there was no user model, and second, that if there was a user model, "the" user had all possible rights and privileges.
And developers loved this, because it pandered to our egos, telling us that we are the most powerful people on this machine - we're not just able to tell the computer what to do, but there's also noone on the computer who can tell us "no!"
I think all "powerful" terms like "administrator" and "super user" should be removed, and replaced with "janitor", "mechanic", or "grease monkey". Maybe then, fewer people would desire that level of access just because they somehow feel that they need it. I've seen company executives demand administrator privileges on the basis that they should be the most powerful user of the system.