As has already been highlighted, make sure he is using a standard user account. If he needs to perform an operation which requires administrator rights, say for instance, installing a game, it will ask for the credentials of an administrator user of the system, which he hopefully wouldn't know.
However, something to be aware of is, if you're elevating from an account which has been infected with malware, there are opportunities for it to gain administrator rights. If you would like to completely block that avenue of attack, when ever he needs to perform an administrative operation and you can verify is legitimate, switch to a dedicated administrator account to do so. This way, with the exception of security vulnerabilities, malware which may have infected the account will only ever be constrained to standard user rights. If you have suspicions that the account has been infected with malware, an easy way to clean it up is to simply delete the entire account. All though, any data which has been saved under that account will be lost.