I have to say, for at least the last decade or so I have been led to assume that if you have the capability to execute code locally, then you have the capability to gain administrative privileges. It's really that simple.
The fix, therefore, is to only let the code you want to run to run locally and deny everything else.
I can't imagine there's a secure system in the world (e.g. military, etc.) that thinks it's a good idea to let a user run arbitrary code in any instance. Approved, verified-source, signed-off code only. Even then you can be compromised (e.g. escaping a web-browser sandbox, etc.).
If a local user get can system privileges on a machine in so MANY different ways, you just can't assume that they won't try, and therefore have to design your security and systems to compensate as much as possible.
The expectation for arbitrary code execution for anyone other than an administrator (already game over) or developer (who probably can mess up your system in a billion different ways, not least compiling exploit code into their programs) is something that I can't justify.
Biting the hand that feeds IT
