Don't Let Users Be Local Admins
Don't let users be administrators of their own
computers. It is quite common to let users be members of their local
administrators group in order for them to be able to install software
themselves. This is not a good idea.
users should not be allowed to be admins is not primarily that you don't trust
your users. Hackers, however, are likely to be able to use the credentials
of the currently logged on user. For the same reason, you should not use your
own administrative account, unless you really are administrating computers.
If you really want your users to be able to
install software themselves, consider giving them a local account with
administrative privileges in addition to their normal domain account. The fact
that the account is local makes the users less likely to use it for
their daily work.
Be sure to tell them that they may only use their
administrative account for certain well-defined tasks, such as installing
software. Make an effort to explain to them why. Most users will follow the
rules if they make sense to them.