When I was at college, it was similar - Students could not install software. Only the IT staff had accounts with Admin privileges.
However, the lack of admin rights did not stop infections spreading to everyone's e-mail account. For example, while limited user accounts stopped viruses being able to install to run on boot, it had no effect on Word macro infections. Obviously students need access to Word and Microsoft did not provide a way to block macros back then ~2000.
Of course with many students never encountering a virus before, they opened every e-mail and of course once Melissa and the "I love you" viruses struck, everyone got hit with an inbox full of e-mails with the infection. The college had to disable e-mail for a while to clear the infections.
At that time, another issue was "privilege escalating infections", as Windows 2000 did not offer any sort of data execution protection. This meant that there were many infections that exploited vulnerabilities to run as a system process from a limited user account, requiring the user to do little more than view an infected JPEG or website in Internet Explorer. These are quite rare now although I wonder if this NHS issue was such an infection that could take hold of a system from a limited user account.