Jesper Johansson posted a blog entry discussing the debate about what UAC really is and if it works or not. Jasper is in a unique position to be able to comment on this because he is a former Microsoft employee and was a senior security expert with them.
Long story short … UAC is not an anti malware defense. That’s what your anti malware products are intended to do. UAC is intended to allow people who need to log in as local administrators to run with reduced privs and then be prompted to OK a process that requires elevated rights. This can reduce the risk of malware executing, i.e. if something executes on your system and wants to use elevated rights then you are in a position to control that. But as Mark Russinovich pointed out lately, there are ways and means around this, i.e. there are no firewalls between processes running on the same system. Would you want them? Probably not … imagine that no process could integrate with any other process.
Give it a read and follow the links that Jesper provides to make up your own mind.