Well, of course from an administrator account everything's possible! Firewall's rules had to be stored somewhere after all..
The above would not work in a limited account, since access to the registry is prohibited.
This is nice that you described though, if nothing else to demonstrate how easily can a malware reconfigure the Windows firewall to allow themselves out and how many more considerations there are to take when having logged in as an administrator!
I second nske's comments. I run all my users in non-admin mode at work and at home! This I believe is the major reason behind spyware infections. Obviously this problem mainly exists in the Windows world where people are not so familiar with the concept of root and limited user accounts.
Well, since Microsoft likes to push users to the direction it wants in everything (default software, default settings, etc), it would be a good idea to encourage this and some other security-conscious decisions during the installation.
After all, nobody would complain for having to relogin each time he needs to install some new software or configure something, as they complain now for having an unusable malware-infected system -besides, the procedure could be more transparent not requiring to disrupt a current login session.
PS. And afterwards they could even patent this idea and sue the Linux community for billions!