There are two categories of users on an OS X desktop:
Admin: These have additional access to read/write some system files and directories but there are still a few parts of the file system that are off limits other than read-only. These users are allowed to use sudo to gain root privilege temporarily.
Non-admin: These are normal UNIX-style users. System stuff (including many preference settings such as Network) are off-limits. Non-admin users are not allowed to use sudo. These accounts can be further controlled by an Admin user to limit what apps they can run, whether they can burn CDs/DVDs, whether they can remove items from the Dock or even access the System Preferences.
You can set up a user to be logged in automatically (similar to W2K or RH 8) or require a login and password.
The root account is locked out by default. (It can be unlocked by an Admin user, however.)
Network services (http, sshd, etc.) are turned off by default.
All in all, I think Apple put a considerable amount of thought into balancing convenience versus manageability.