When you enter a web page, that has been hacked, they have code inserted into the page. That usually takes the form of an iframe which will have a URL to run malicious script from another site. It can and does include the HTML Script tag and this contains javascript, which can perform the same functionality. This javascript is mostly obfuscated so that the purpose of the code isn't clear.
There is no what harm it can do as that relies on the URL it is trying to redirect you to and what the payload is at the other end and none of these are constants.
Running as a limited user should (note should) prevent the malware copying files into the system folders and creating registry entries in system areas of the registry, but it doesn't prevent it creating entries in that Users area.
Really there is no discussion, what harm does it do having it enabled, it has minimal impact on resources, so no contest. There is malware that attempt privilege escalation and if that happens your limited user theory is dead in the water. As I said it limits the damage that can be done but doesn't make you invulnerable. You have the information now the choice is yours, I'm done.