After reading one the few good articles of the TheRegister http://www.theregister.co.uk/2004/09/02/winxpsp2_security_review/
I have to wholehartedly agree with the article since I like to fiddle with my local policy settings on all machines I run. Its one the
most underused and least understood tecnologies in the Windows world.
Basically it allows following things:
setting account/password options (password strength, account lockout)
disable legacy components(like LAN manager authentication - LM & NTLM used on 9X Windows)
Hardware access
IPSEC filters
auditing
disabling configuration of network, IE, scheduling and other stuff
disabling command prompt and disallow lists of executables
disallow installation of programs
set ACLs
lockdown WMI
harden TCP/IP
and more stuff
I use the Windows Security Scoring Tool from http://www.cisecurity.org to build secure baselines for standalone and networked PCs and even servers sometimes. I' re read somewhere that even Dell ships some workstations with
such a baseline switched on. The CIS tool contains excellent templates which are recommended by organizations like NIST, NSA, DISA, SANS, and CIS