UAC vs Setup.exe
This is actually a surprising UAC hole: Any program that Vista identifies as an installer is, after a UAC check, given administrator rights and can install anything, anywhere.
If there's any piece of software I don't want to give full trust to, it's an installer. The installer is the first thing I run after I download a piece of code, and I'd really like to know what it's going to do.
Installing an average Windows application only needs a few privileges: Writing into the registry in a few specific locations, writing to the Program Files directory, and writing to my user profile. But there's no easy way to run an installer with just those privileges; it's all or nothing.
It'd be nice if there was at least the option to run as me, or as a particular user, instead of just the admin or cancel choices we have now.