Re: Wow... an administrator can...
Windows security privileges can be quite fine grained, so it's possible a user might have enough privileges to perform this account, but not enough to install a certificate, or disable whitelisting, etc.
On the other hand 99% of Windows users have full admin rights because that was easier than working out exactly what each class of user should have access to and tailoring it accordingly, so your point still stands.