UAC in Windows 7
At PDC2008 there was a session abstract that essentially said: "there's nothing new here". But I'd still recommend viewing it, and actually it included (a little bit of) new information:
PC51 Windows 7: Best Practices for Developing for Windows Standard User
presented by Crispin Cowan, PM on the UAC team
The important takeaway is that from a programmer's perspective the UAC functionality in Windows 7 is the same as in Windows Vista. There is some fine tuning so that some actions don't require elevation anymore, like changing the DPI of your monitor. A major change is that the UAC prompt behaviour is now configurable by the user (more details below), but programs should still be created for and tested with the tightest UAC setting.
The presenter explains what problems user context switching in an "over-the-shoulder" elevation scenario can cause, how to launch an elevated process from a non-elevated process, and other design guidelines with restricted users in mind. He also explains why launching an application or readme at the end of an elevated setup can be a problem, and that per-user configuration should not be handled by the installer but by the application at first run. Finally he expresses his concerns about per-user installs.
UAC Configuration Options
Here are some screenshots from the UAC configuration dialog in Windows 7 (taken from the M3 build that was handed out to PDC attendees).
In the highest setting the UAC behavior is the same as in Windows Vista.
The second option is similar to the first one, but the UAC prompt is displayed like any other window, not on the secure desktop. According to Crispin this mode is intended for machines with problematic video drivers which cause the screen to turn black for as long as 30 seconds when switching to the secure desktop. This mode is less secure because a malicious program could remote-control the UAC prompt. It can be handy however if you want to take a screenshot of the UAC dialog.
The third option is the default (at least in this build). It gets the UAC prompt out of the way for any tasks you perform manually. So for instance a user can create a folder under Program Files without being prompted. I don't know how Windows 7 can safely distinguish between user actions and programmatic actions, and what would happen if a tool like AutoIt sent keystrokes or mouse clicks to an application.
The last option turns UAC off completely. This requires a reboot of the machine, and instantly changes your security status to red, similar to Windows Vista.
I noticed that the shield icon on buttons performing actions that require elevation is always displayed, even if the UAC prompt is set to option 3. This means that you don't actually get a UAC prompt when you click a button with a shield on it. I find that confusing.
Finally, now that taking screenshots from UAC dialogs is easier, here's the "friendly" UAC dialog that's displayed when uninstalling a digitally signed package from the Programs and Features control panel (aka ARP), which I mentioned in my previous PDC post.
Note: The screenshots in this article were taken from a pre-beta build of Windows 7, so things may look and/or behave differently in the beta or RTM.