With Windows, Profiles ALWAYS have something accessed. Check the %LocalAppData%\temp folder.
Check the browser cache, check the Windows OS and browser history areas, unhide folders and you'll see that if there is someone logged in, it's a flurry of activity and file touches, always, constantly.
Then check the user profile if you run Chrome or Firefox browsers - yup, if they open the browser, it's many hits in the user profile.
Open Outlook or Word - again, this is all info swirling around in the user profile.
Take part in a Webinar or online meeting - the software installs there, the meeting or whatever is logged there. EXE and DLL files are INSTALLED there. Terminal emulation packages such as Mocha - config files, settings, logs - it's in the user profile. Some profiles can reach a gig or more in size.
Anything you do in Windows touches your user profile. In short, you can't even log in to Windows without the user profile changing. You can't log out with it changing. You can't install software of ANY sort even WEBEX or GoToMeeting without the profile having folders and files, some of them EXE and DLL files put there. And you DO NOT NEED ANY ADMIN rights for this. Get into a WEBEX session or an online meeting - check your profile. I bet you have installations there - even with no admin rights. That's because the user profile is wide-open for that user. "Anything goes" in the user profile. Create an email signature, choose a "stationary" for Outlook messages, set your defaults and preferences, it's in the user profile.
Here is one of the most simple examples of a single user profile I can find - and if I dig into these folders, I find a lot of activity. The TEMP folder is LOADED with files, sometimes dozens, sometimes hundreds. If you have Outlook running, it logs there, if you have Symantec Vault, it logs there. Windows itself logs there. Look at the other folders - application stuff. The Citrix folder has EXE and DLL files.
The user profile area is in a constant state of flux, always changing, always being accessed - always. Even Windows keeps registry files and profile DAT files in there. You have to unhide things to see them, but if you blocked access to anything here, you'd kill windows and the apps.
So, I'm saying all that as THIS IS THE EXACT place that most malware today hits. Modern malware targets the user profile as you do not need elevated or admin rights to do so. If they click a bad link or ad, WHAM, THIS is exactly where it goes, at times installing to and running from the TEMP folder as all users have full rights there to do anything. And Windows doesn't keep it cleaned out.
If you are not guarding this area carefully, you are remiss in your security.... every piece of malware I've seen in the last couple of years targets something here - something that is NOT locked in a gold image in VDI, and yet if the user clicks and gets malware in their profile area, say the temp folder, it has access to the network and files exactly as the user who is logged in has. And so what if VDI means the base is locked and reverts back each time of a logout... .the damage is probably already done as the malware installs SMTP or other services in the profile, runs it from there, and grabs all the personal, confidential info it can and sends it out from that safe VDI image. Infected? Possibly not - but data loss, data theft, identiy theft, spam, etc - ALL POSSIBLE from VDI, especially if the user profile is not protected and locked down by SEP and app control. Forget viruses or worms that install and must have admin access or rights to the program files area - that's antique old-skool stuff. Modern stuff targets what you see below - just like Chrome and Firefox browsers do. A user with NON-ADMIN rights can install that software. Malware only needs to get in and run for a few seconds. It doesn't care if the image is wiped every so often or locked in the apps area. The profile can't be locked down (without SEP and app control) so it's wide open. Malware gets in, does its stuff, perhaps totally messing up your network, and then leaves. No installs necessary, no admin rights needed.