So don't give them root access, and mount the /home partition as noexec to prevent executing downloaded programs.

I set up a dual-boot Ubuntu install many years ago like this. It worked for years without me realizing — the Windows install had some problem, and my dad started using Ubuntu without telling me.

I figure the downloaded malware is more a reference to machines running Windows, not Ubuntu.

It's still pretty easy to download malicious shell scripts that can wreck your user data and configs on Linux, so noexec is a great tip for setting up a system for a non-technical user.