Short version: Never, ever use MS IE, period, and never, ever browse with Administrator privilege in Windows ... never. I can compromise not just you, but your entire home network, with a well crafted site.
Long version ...
First off, I always laugh when someone uses the phrase "least privilege model," because it says what OS they use (it's inherent in the POSIX world). But, secondly and more troubling for most general purpose OSes, even by running something as a privileged user, while your desktop is unprivileged, is an issue because of shared memory.
Beyond NT/Windows, which begins in the early '90s (NT 3.1 released in '94), and even MS Windows 1.0 in '85, this also includes the 32 year lineage X-Window ('84+) on POSIX systems. Yes, X comes from before the release of even MS Windows 1.0, also based heavily on the same Xerox code from the '70s.
I.e., Apple had access to the Xerox code for creating the Lisa, then Mac, which is what Microsoft developed Windows from (under license, even if misappropriated as it was for applications for the Mac). Digital, MIT and others in academia came up with a shared memory, multi-user, network-based model (the last 2 were things that weren't added to NT/Windows until Citrix' Multi-Win, which originally started on OS/2 in the '90s), called "W." "X" was the next letter for the evolution in '84. I even remember how UseNet (before the Web) "comp.os.window[s]" was for X-Window until it became impossible to get people to use "comp.os.mswindows" for Microsoft Windows.
In fact, the bane of Windows' network security problems often still stems from all that Distributed Computing Environment (DCE) code developed in the open source community back when AT&T funded academia (when AT&T was prevented from selling computers and software, as the telephone monopoly -- what we now collectively call the lineage of the POSIX world -- UNIX, GNU/Linux, etc...). Long story short, it's still at the core of the NT executive, the Server service (Server is for DCE-based networking, including shares, even when you have no shares), heavily relied upon by everything, including Outlook and MS Office automation. The Samba project documents a lot of Windows' DCE, especially the stuff not in the Microsoft API docs (not even the US federally mandated ones), bug for bug, implementation by implementation (as bugs and quirks vary).
MS IE going into the core NT executive in '97 was the ultimate issue -- everything built with Visual Studio 97 and later suffers from this (yet another personal Gates decision, like the GDI I mention below, that has been a mistake). This includes the inability to disable Javascript, even when you disable it. Disabling everything, especially tied to file associations, would make collaboration in Office, Sharepoint, etc... break. This is why the US DHS CERT and DoD DISA advise everyone not to use MS IE for typical browsing. There are ways to utterly bypass the "Zones" and execute client-side Javascript, even if disabled. This is why Microsoft has created a new, non-MS IE lineage browser
So if you're running as a privileged user, running MS IE and you have the Server service going, you can instantly infect everything on your network. Even worse, as was just recently disclosed, every NT version and its Local Security Authority (LSA) subsystem doesn't even check things when you have escalated privilege. So if you are on a system with a privileged realm account (network-wide SAM, aka Domain), not just a local SAM (aka Workstation) -- i.e., a Domain Admin -- a program can use the LSA to access everything, even if you're not logged in as the Domain Admin yourself (just on the same system).
Windows NT 3.1 initially included some access controls for the GDI (Graphical Display Interface, although the GDI is another issue, another Gates decision being reversed in Windows 10 Server Nano, and the post-Windows OS Microsoft is developing) that all native Win32 programs are rooted on in NT, an improvement over OS/2 -- as NT was heavily designed by Digital VMS architects -- but the Chicago (DOS 7-based Windows that became the 95/98/Me lineage, a merger of 3.1 Enhanced mode with some OS/2 driver hacks, also used under an "indirect" license) team ensured none of it was used, and the rest is history.
Hence why the legacy SAM (which is still used, whether you have just local accounts or it's the NTuser schema in Active Directory), with the LSA, can wreck all sorts of havoc, and programs are using a single Windows system to "leapfrog" through ... usually by just someone using MS IE.
Fortunately, some Linux implementations even have a true "sandbox" option, including GUI, which allowed them to reach higher levels of security certification (e.g., CC EAL-4+ w/specialties, even in general setup, which Windows cannot obtain in general configuration, only EAL-2 or EAL-3). E.g., any system implementing SELinux in such "targeted" mode (even if not full-on RBAC) can run an isolated program, including with X-Server, so one can start a browser.
I.e., I launch some browser sessions in this mode for a reason. There's no chance of it reading anything in any other window. This is part of the reason I've long learned basic SELinux, which is inherent in anything Red Hat creates (e.g., Fedora). In the day'n age of containers, it's essential.
E.g., SELinux MLS (RBAC) has been adopted as MCS labeling for containers, as namespaces and other tricks are not enough. This will increasingly be used for Virtual Desktop Infrastructure (VDI), which will slowly be seen in more and more consumer devices in the future (set-tops, possibly portables, and definitely home routers w/media servers built-in) ... in addition to some of the well-publicized, server implentations (including Microsoft Azure's Linux-based SDN, Software Defined Network when neither their own Windows Server teams, nor their "normal Linux-based hardware partners" like Cisco et al. could provide them what they needed).