Right, the goal is not to prevent a malicious user from running things, it's to make a usable environment for non-malicious users (via giving them Remote Desktop) so they don't feel the need to install anything that someone else could later attack.