So the user installed the malware after downloading some crappy doc converter ? So they either entered their admin details or run on an open admin account. No security model can mitigate users being tards. They must have even switched off the known developers filter.
Biting the hand that feeds IT
