Absolutely stupid things to disable: (Score 1)

DHCP: (as mentioned above) Outside North America most people, even on broadband, don't have a static IP. In Australia it's available as an option, but you often have to pay extra. (They assume you want to host a server of some description) And what about people on dialup? DNS: (as mentioned above) What's with all this huggy-feely friendly name crap, everybody should be typing in raw IP addresses! *roll eyes* Remote Access Connection Manager: Required to make a dialup connection. Yeah, why just choke their connections downloading the thing, when you can disable them altogether and curb the spam problem!" Brilliant work at the Reg. ;) SSDP Discovery Service & UPnP: Unfortunately, these are used for the remote control aspects of the XP implementation of Internet Connection Sharing. If they disabled these out of the box then people would lose this functionality. At least the firewall limits it to the local subnet by default. NetBIOS helper: Required for backwards compatability with Win9x machines, and file/print sharing is restricted (by the firewall again) to the local subnet. He had some good points about permissions, but that kind of stuff should no news to any of us. Finally, his IE bitching is irrelevant. It's very easy to switch to Firefox, Mozilla or Opera. IE should be disabled with all security options set to max, so that programs which wrap IE aren't too vulnerable. If you want to go one step further you can set a fake proxy in IE's Connection options and make Windows Update an exception, so that you can still manually check it if required.