Windows hasn't used that security model in almost a decade now. Now it uses a role-based security model which provides the same protections as the Unix group-based model, albeit more flexibly and with finer-grained control. That's proven itself to be quite robust: The problems arise largely from code execution exploits in software using the network like Internet Explorer and from the users themselves. UAC and not running by default in Administrator mode help prevent some of the nastiest, but there's still a lot of nasty stuff that's still possible. Deleting a person's home directory usually hits them far worse than anything else because if they didn't back it up, it's gone, while the other stuff is just a reinstall away. Botnets only require being able to run software which can poll somewhere else to pick up orders, to send mail in some manner, to stick that program in a hidden directory with the same name as an important long-running system process and make it executable and finally to set it to run every time they log in. For a single user system run by the proverbial grandmother, that's just as effective as whatever crazy elaborate scheme any hacker can cook up.