Not sure with Windows 8/8.1, but some OEMs did disturbing things to the default security settings through Windows 7 on consumer-level PCs (at least), supposedly in the name of expediency and/or convenience. That can give non-admins more access than they "should."
SysInternals has utilities like
accesschk or
AccessEnum that can audit this.
"Legacy" access to "protected" areas of the system would also depend on how User Account Control (UAC) was set and was used while the account was in the Administrators group (i.e., S-1-5-32-544). The default for the first (and usually only) user is a split admin personality that requires elevation for admin tasks (i.e., "Admin Approval Mode"). If UAC was turned off and/or the user did things while elevated, then you run into that issue after demoting the account.
(The OEM "thing" is probably a bigger "can of worms.")