(multi user) application binaries should go into FOLDERID_ProgramFiles, application data should go into FOLDERID_ProgramData and user files (save games, settings, etc) should go into FOLDERID_LocalAppData.
so caveman.exe goes in ProgramFiles, all the meshes, textures, models, wavs, animations etc go in ProgramData, and savegames, and stuff that gets paged from disk like container content lists and explored local map bitmasks goes in LocalAppData (IE C:\users\current_user\appdata\local).
hmm... more work, and you can't find everything in one folder. but it gets you readonly binaries, shared data (probably irrelevant for caveman), and user data under the current_user folder for ease of backup purposes (i'd assume).
right now i put it all in a single caveman3 folder under programfiles. i haven't had any issues with this on my PC even though programfiles is protected. but then again, i only have one account on the PC, the admin account, which is what i use all the time. so i suppose i'm always running as admin.
also i haven't moved steam or skyrim, and have encountered no issues on my PC - i'm trying to muck with the skyrim install as little as possible while modding.
however, installing under programfiles, corrupt UAC files apparently can lead to the dreaded BEX error:
http://www.gamedev.net/topic/660329-whats-this-error-message-mean/
and fixing it its pretty ugly. cant find the link right now, but it involves un-hiding hidden folders and files and regedit and hkeys - you get the idea. way more than you want the user to have to go through to run your game.
so i was thinking, you could avoid this whole UAC issue by simply installing to an unprotected folder - IE somewhere other than program files. its a simple one line change in the Inno setup script.
OTOH, this means you're not doing it the MS way...
should i not worry about users with UAC issues?
You really want to install to program files by default, and require elevation to a trusted user for both installation and updates, and never load executable files (exe's, dll's, Java jar's, etc.) from any non-trusted location. This way no other untrusted piece of code can infect your program.
if by trusted you mean verisign, then i'm screwed, because i can't afford to verisign right now, so its all from "Unknown Publisher".