How would I set up "a couple of tightly restricted user logins"?
The user accounts in the control panel. Set up a new user account/login and set privileges to anything but Administrator or Power User. If you are running Windooze ex pee home, the privilege settings are limited but you should be able to restrict Most if not all unauthorized downloads and will ask for an Administrative login before anything is downloaded or installed. Now this wont completely shield you from malicious attack but it will definitely help with unauthorized access to crucial areas of the operating system.
Email is an open portal and it would be almost impossible to keep an uninformed user from opening anything that may pose a threat. All I can suggest for that would be education.
There are other settings to tweak as well such as various services that run by default. If you are not on a shared network I would highly recommend disabling the "Server Service" that will disable the $C:/ ~ *.*(wildcard) Administrative shares.
There are other so called "Services" that can be disabled as well that will have no degrading effect on performance but will increase your security. I wish I had time to get into all that but this post has rambled on beyond what most people want to read. so I'll close for now and may continue on if interest in the subject continues.
The safest, most secure machine is the machine that is offline.
Have a Great Day & Best of Luck.
T.