Simple way to reduce UAC prompts without reducing security

For administrator-level accounts, for which the default behavior of build
5536 for running programs as administrator is to prompt for user
confirmation but not require entry of a password, there are supposedly two
separate goals:
1. To remind the user that he's about to run a program with which he could
accidentally screw stuff up.
2. To prevent running processes from elevating their own privileges to
administrator level without the user's knowledge or consent.

For the first goal, the confirmation prompt is already redundant, because
all such programs (and the option "run as administrator" for all other
programs) already have shield icons next to them. Even in places where
regular privileges are sufficient to view admin-level settings, the button
to change those settings has a shield icon on it. So the user isn't going to
start admin-level programs (or regular programs at admin level) without
knowing that he's doing this.
As an additional precaution and reminder, any program or dialog box which is
running as administrator should have that shield icon in its title bar.
Making the window frame be bright red instead of the regular pale blue
wouldn't hurt either. But even without these additional reminders, the
confirmation prompt is still already redundant.
Of course, the first time a new user ever invokes one of these admin
programs, the confirmation prompt should pop up once with an explanation of
what the shield icon means, and the user can dismiss this prompt once and
for all after checking a box saying "I understand what the shield icon
means; don't bother me with this redundant prompt anymore."

Now, for the second goal: allow the user, with his keyboard and mouse, to
use the windows shell to start programs with shield icons without the system
presenting any prompts, but if any process _other than the windows shell_
(for example, Microsoft Word while executing a macro virus) attempts to
start an admin-level program or otherwise elevate its own privileges, then
the system should display a confirmation prompt. Naturally, this requires
that the system should prevent programs from being able to control or spoof
the shell, but that's already taken for granted; programs can't (or
certainly ought not be able to) move the mouse cursor at will, or generate
mouse and keyboard events that appear to be coming from the shell.

This way, the common and annoying prompts that administrator-level users
encounter for things like setting the time, running the performance monitor,
viewing all users' processes in Windows Task Manager, and doing numerous
things in the control panel, are all eliminated, yet the user is aware when
he's starting admin-level programs, and no admin-level programs are started
or privileges elevated without his consent. So both goals 1 and 2 are
accomplished without annoying the user.

Of course, for non-admin users, the UAC password-entry dialog boxes are
still necessary.