A co-worker of mine insists that if a Windows PC is used exclusively by guest-accounts, then there is no need for anti-virus software to be installed. this strikes me as a bit optimistic. is this true?
No. While many infections come through the actions of privileged users, there are plenty of sources of potential infections (attack vectors) that eliminating privilege doesn’t solve.
For instance, this RDP bug from last month is a remote execution nasty that could infect regardless of the user type: http://technet.microsoft.com/en-us/security/bulletin/ms12-020
This report from Microsoft lays out a lot of information about malware sources, and more for the past 10 years. http://www.microsoft.com/security/sir/story/default.aspx#!10year