You can "disable" all those "Run" and "RunOnce" keys even for user account. Note: when these keys are "disabled", many programs will fail in attempts to add themselves into "Run %put_the_program_name_here% at startup" mode - i.e. this option, if exists, won't work in the programs. Also some installations require "Run" or "RunOnce" keys for completion the installs (after a reboot).
To "disable" the key you want (this method works not only for keys described here, but may be used for every key you want to limit the access to), run the registry editor in the admin mode, but with using
current user profile, in the command line (WinXP):
runas.exe /noprofile /user:Administrator regedit.exe
(change Administrator to actual admin's login)
Find the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
click on it with right mouse button, select "Permissions...".
There click "Advanced" button, in the opened dialogue uncheck the checkbox starting with words "Inherit from parent ...", in the next dialogue that will appear, click "Remove" button. Then, in the dialog you're just unchecked "Inherit ..." checkbox, click "Add..." button - and this way you can step-by-step set the user rights up - for example, allow "Administrator" and "System" user to have full access of the key, or you can just enter "Everyone" as a login, and in the next dialogue, select these checkboxes to the state "Allow": "Query value", "Enumerate subkeys", "Notify", "Read control" (you can do the same in the first dialogue that shows after selecting "Permissions..." menu item in the key context menu, just by selection "Read" permissions as allowed, and clearing all other checkboxes - do this for every user you want limit the access as a read only).
You can set up rights this way for every "standard" potentially dangerous key.
So, being working under limited user account, with properly set up access rights for the registry and file system (actually, all system files are already read-only for the user account), you can make it to be protected from using
standard ways as malicious. Though, there is no way to protect from system security holes, like, if possible, rights elevation using bugs of the system. But those holes have tendency to be closed - being once used. The standard ways - standard system functions like "Run" etc are - shotly speaking, may be closed only by user, because those are functions that were designed to run that way, just like "DeleteFile" API may be used to delete a garbage temporary file, and to delete important user's document as well.
And, one more note: "Windows NT" - is not the system that was initially designed to be used on the workstations, and we can see many roots of this these days, still. Administrator account - as we know it these days - was not designed to be used for everyday-work either - just by "system design". Unix/Linux users are well known for their dislike to work under the "root" account (it's like Administrator in Windows), but this habit is rare in the Windows sphere. But working under the "User" account rights - even without any additional settings changement, the Windows user will massively decrease the paths that malware may use.
Having another system installed on your machine, you may backup the entire registry.
Find in the registry editor this key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
The values in it are containing the full paths to every file of the registy - save the list somewhere, then boot from other system, the save the files listed, and then, after some experiment, or software setup, or hardware settings changement, or malware activity (after it will be removed), or many other things that make your system unstable, you can just restore all those saved files to their original places (don't entangle something! and back up old files somewhere, too), and this action will return registry to the state it has at the time you made that backup with saved files.
All described here may be used only for your own risk (though, they are a pretty proper and "legal" things to do), not claims to be full, and was specifically for
English WinXP (more or less for 2000, too, as well as 2003), but it may be suitable for more modern systems as well - it will be very interesting to hear
John's thoughts on this, as he has experiencies with modern systems, and system-repairing things are very familar for him
