Let me try to stop (some?) of the confusion.
This is basicly how it works:
A admin (especially administrator account, note: admin rights and administrator are two different things) is supposed to be for those user(s) who are allowed to do almost anything with the system. When you login as admin(istrator), you will have a lot of control over the system and what is on it. If at this time the system gets infected, the malware will basicly have the same rights as the admin(instrator) and therfor can do a lot of damage.
When you are logged in as user with restricted rights and the system gets infected. The malware has basicly the same rights as the restricted user and will therfor not be able to do as much damage is it would have done under admin(inistrator) rights.
Besides that the malware doesn't have access to everything when logged in as restricted user at the time of infection, you can also use the restrictions to almost exclude infection risk when logged in as restricted user.
Some recommended settings for the restricted user account:
- not allowing downloads
- not allowing to use the floppy/cd-rom
- own folder with quota, no access to other folders
- disabled activeX support
- no access to the firewall
- etc etc etc
I hope this is taking away some of the confusion
ps: Upgrading is never recommended. It is like putting in a new engine in a car and doing a paint job on it. But you still have parts of the old car there also. A complete fresh install (getting a brand new car) is what I always recommend.