Securing multi-user Win7 HTPC

I'm building a Win7 HTPC for my brother and I'm looking for some advice on how best to secure it.

When booted, it will autologon as user "M" which auto-starts Mediaportal on the TV. He's unlikely to logon to this account manually or do much with it. I have to avoid anything that might produce popups (like Antivir) running in this account, as he won't be able to get rid of them easily. If I can make Antivir only run under the second account that should be OK though.

From another (old) PC across the room, he will RDP into the HTPC as user "S" (using the RDP patch to enable multiple simultaneous users, obviously I can't close the RDP port but it won't be forwarded on the router anyway, so won't be accessible externally. I'll use Logmein for remote access when necessary) and do his browsing, video compression, downloading, etc there. I've set IE9 to run in Sandboxie. To keep things simple, I plan to just use the Windows Firewall with Windows Firewall Notifier to control outbound traffic, although it's been producing notifications that it shouldn't be lately, so I might change that to Comodo Firewall.

I want to dissuade him from installing additional software, partly for security reasons but mostly because of the risk of installing something that interferes with the smooth operation of Mediaportal, so the machine will also run an XP Virtualbox which he can install whatever into. I haven't yet decided whether to autostart this with the "M" account (which will allow him to VRDP into it without logging in as user "S" first) or whether I'll set it up so that he has to logon to his "S" account to start it. The former will probably encourage him to use it more. I'll probably use Comodo firewall in the Virtualbox but I'm not sure which antivirus I'll use, as Antivir causes it to BSOD on booting and I don't feel MSE is suitable. Any files/documents will be saved to a folder on the real HDD, using Virtualbox's Shared Folders.

Running two users simultaneously can create issues, for example if Comodo firewall is loaded by user "1" and then also loaded by user "2", it seems to work OK but it displays a warning tray icon for the latter, so it's hard to be sure there won't be any problems. The user "M" account doesn't really need a firewall running though, so if I can configure it to only load for user "S" that should be OK.

One of the things I want to do is make it so that if he does try to install some software in Win7, it will require a password, so that at least he will stop and think before proceeding (I know UAC will produce a popup, but without requiring a password that's probably a bit too easy to just click away). However, ideally when software auto-updates it shouldn't prompt for a password otherwise he's likely to get into the mindset that the popup just signifies a program needing to update and he might allow something to install that he didn't really mean to. Does anyone know of a way to achieve that?

Any other thoughts or suggestions gratefully received as I'm no doubt overlooking something (although I don't want to go overboard and make it too complicated or non-user friendly for him)?