The bottom line is to prohibit the launch of programs from where there are write permissions, and allow the launch where it is impossible to write.
1. Create a user in the "Users" group.
2. Next, Control Panel → Administrative Tools → Software Restriction Policies → Additional Rules. Add rules with a ban on drives C: and D: (if any), allow Program Files, Windows, system32. You can also disable flash drives.
3. For convenience, so that you can launch programs by shortcuts, remove shortcuts from the Assigned File Types (located in the Software Restriction Policies). In the same place, you can remove help files, etc. from prohibited files.
You need to install all the software before creating policies. Checked on XP, on the Seven I don’t know how it will work. There may be problems with some software.

Guest + runas. Nothing unusual.

Just yesterday a question popped up: http://habrahabr.ru/qa/4761/

hmm, in Windows 7 just don't disable UAC and don't download exe from mail and porn sites

a little on the topic was on habré habrahabr.ru/blogs/sysadm/97594/

I'm not sure what suits you, but look towards sandboxes, for example . Super useful stuff.

I’m afraid that windows won’t be able to be configured the way Windows is - there are too many people who want to break and the code is too the same everywhere, which simplifies writing exploits.
In addition to the above tips, I recommend installing 64-bit Windows 7. During its development, MS introduced several additional barriers to hackers, which, together with a small prevalence, still serves as a good additional protection.