Yeah fair point that this exploit gives privs @ the level of the browser's current user. In that parenthetical, I was basically trying to explain what "session" means in Metasploit parlance in general.

Ignoring that most users run their main windows login as administrator, if we pretend it's just a guest account, how much of an impediment would that to them disrupting any anti-virus and installing a some malware?

Are you asking if anybody has a 0day windows kernel exploit? Or if lots of users are going to click okie dokie when the uac prompt comes up?

I'd say yes and yes.

Google hashdump...

Is your point that local user access is valuable? Was that ever in doubt?

Nope