Quote: The XP firewall is a good step, but only if it blocks SMB ports on the Internet side _by default_ in the home internet config
It does.
As for backward compat. An NT/2k/XP instance of NetBIOS is extremely securable even w/o AD, as you can force everyone to use 128bit encryption for everything that involve passwords, including downlevel 9x clients(DSClient.exe). I've tried a numer of crackers on the NTLMv2 hashes sent by/to win9x clients with DSClient and LMCompatibility 3 and they cannot decode them.
-Kevin