Truth be told, Windows security infrastructure is actually more powerful than the traditional Unix/Linux, although less than selinux.
Yes,
you should avoid running Tomcat as an Administrative user. That means that for best results, you should create a non-admin user named "tomcat" (or something) and - if you're planning on running as a Windows Service, set the service used to be "tomcat". Unlike the Apache httpd server, Tomcat can't "jail" itself, so it has to run non-admin start-to-finish.
The port 80 restriction comes from the fact that in many OS's (but not all), ports below 4096 can only be opened as listeners by admin/root users. And since it's dangerous to run Tomcat as an admin user, the next best thing is to run it on a higher port such as 8080 and proxy to it, like you're doing with your router.
For additional security, setup a Tomcat user group and constrain the tomcat user and tomcat group to the absolute bare minimum of resource access rights needed. Note that the CATALINA_HOST parts of Tomcat are essentially read-only as far as Tomcat is concerned, so you can make it harder to sabotage Tomcat's executable code by write-protecting it.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.