One of the security features within Windows Vista that is not evident is file system virtualization.  This type of virtualization allows an application a silo'd virtual store where it can read and write to without compromising the system. 

Let's say you have an appication that attempts to write to System32.  Instead of allowing the application to do so, Vista creates a virtual System32 in the user's profile that the application will use.  Application developers can code their applications to automatically run virtualized or you can set this manually.  IE7 running in protected mode utilizes this functionality so when you visit a webpage that tries to insert a file into the Startup folder, it instead is placed in the virtual startup folder and will not execute upon the next boot.  Let's look at a simple example.

Open up a command prompt as a standard user and CD to Windows\System32 and then enter the following

echo hello > hello.txt

As you can see we get an Access Denied error.  If we open up Task Manager and look at the Virtualization column we can see that it is disabled for CMD.EXE.  Right click the EXE and we can see an option called Virtualization.

Note: You may have to show the Virtualization column by clicking View --> Select Columns --> Virtualization

Enalbing this brings up a warning message but we can ignore this for this test.  You would want to test your application before going into production in a virtualized instance.

We can now run the command in CMD.EXE and this time we will see that it completes successfully.

Open Explorer and browse to Windows\System32 and we can see that there is no hello.txt file.  What we do see is a button called Compatability Files.

If we click this we are taken to a folder that does contain the hello.txt file.  If we look at the path we can see that this has been created in the user profile with the same path under the VirtualStore directory.