We use BeyondTrust Privilege Manager to elevate permissions to applications while the user still has user rights.
snippet from beyondtrust http://www.beyondtrust.com/products/PrivilegeManager.aspx
BeyondTrust? Privilege Manager gives organizations the ability to implement the fundamental security principle of least privilege using native Windows security constructs. This principle is essential not only as a security best-practice, but also to satisfy most security-focused regulatory compliance directives. The principle is defined in the famed ?Orange Book? as follows:
?Least Privilege ? This principle requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.?
The product is implemented as a true Group Policy extension that allows administrators to attach permission levels to applications. Applications, users and computers are targeted using standard Group Policy conventions and Privilege Manager per-setting filters. Simply specify the application and which security groups should be added to and/or removed from the process token when the application is launched.