An Ounce of Prevention ...
1. Disable junk services (Even conservatively ... compare Automatic services on XP and 2003 Server, and you'll see what I am talking about.)
2. Clean startup.
3. Don't use IE. Opera is the best (even on my MacBook :)).
4. Use perimeter firewall and updated antivirus.
5. Use WSUS, and always approve updates after making sure that there is no bad feedback after at least a week of release. The same goes for home/small network users with no WSUS - use manual updates via web, and keep update and background transfer services disabled the rest of the time.
Cheers!
Biting the hand that feeds IT
