Here is what I have found to be a pretty good way to go that won't break the bank.

For an organization this size I use Backup Assist (http://www.backupassist.com). It leverages Windows Backup and has agents for Exchange and SQL.

I then break things into three categories and treat each slightly differently.

Level 1
The things you call critical such as active email, source code, CRM, financial data, etc.
This stuff gets backed up daily and depending on my level of paranoia (how screwed we are if we lose X days) I copy it offsite either to an alternate office or if none exists (your scenario) to either a hosted server at a datacenter somewhere (max on the disk and bandwidth and min on all else which is much less than you $750 per month) or to a server connected via VPN to the company principle's house (poor man's hosted server).

Level 2
The things that change often, but just aren't level 1 such as home directories, business shares and other data.
Data in this category gets weekly backups and usually gets posted monthly to a large USB drive which gets rotated with its twin monthly. The drive with the current data is brought offsite for storage (again maybe to the company principal's house or maybe a safe deposit box). When the new drive is delivered the old one comes back to be used for the following month's backup.

Level 3
These are the unchanging files like images, email archives and stuff.
You can either burn these to optical media (if you do muliple copies with one going to the company principal's house(s) and a copy to the safety deposit box if you got one) or you can lump this onto the USB drive shuffle.

Hope this helps those who might be looking for this kind of insight.

The topic of the AT command and the command prompt came up on an internal list I am on with Microsoft the jist of which was, "How do I securely turn this junk off".

The answer is that to some degree the command prompt and especially when coupled with the Task Scheduler is a security hole that is closable, but not trivially.  You can patch it using things like this http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93465.mspx?mfr=true
and you if you really want to wipe out the user's option you should reset the task scheduler service to use a low / no priv account and disable it (I am paranoid, but I have my reasons). The problem is that the perspective of most that come up against this is that you shouldn't have to do this, but the reality is that you do.

For a scary look at why simply taking the RUN command off the Start menu is not enough try the following:
Open up "Help and Support" from the Start menu and seach for "command". 
Select the entry that describes how to "Test a TCP/IP configuration using the ping command"
You will see that there is a link that will open up a command prompt (it doesn't run as System, but it runs). 
That is the XP version. 

The Windows 2003 Server one takes more searching, but it is there.

The issue is not that the functionality exists, we all want functionality.  The problem is when it is hard (or impossible) to shut something off effectively it is maddening and often leaves people dismayed.

Time for an analogy:
I have doors on my house that I leave unlocked all the time.  The dogs and other things in the house keep it secure (if you know me then you know what I mean), but if I wanted to secure those doors and found that I could lock them, but the manufacturer set them up so that the hinges were on the outside and manipulatable by an intruder then I would be unhappy.  Most security outrage and dismay comes from features that just didn't take security into consideration for the times when I don't want the user to do anything except what the user is told they can do.
 
This will always be an arms race.  If one of our professional security gurus such as Duane Laflotte wants to get in and has physical access to a workstation or server then he can get in, but there is a point where I will say, yes I accept that there are some things I can't defend against.  If you use a tank to blow in my front door, I won't moan to the manufacturer about them not being tank proof, that is what the mines are for ;)
 
Is Vista the solution to all security problems?  I doubt it.  I expect that there will be improvement based on features I already know are in the most recent builds, but I won't judge the security of Vista until after it ships (and won't pay all that much attention to it until then either) since the devil is in the details and the truth is in the final bits.  Submarines either leak or they don't.  The OS will be judged in much the same way in regards to security.

Ultimately information is power.  Nowhere is that more true than in the realm of security.  I suggest that you learn all you can and I will do what I can to help.

There are many varying opinions on almost everything, but Compliance is one of those topics like economics, everyone has a different opinion it seems.

I was reading an article by one of the Systems Engineers at Network Appliance entitled, "Six Tips for Archive and
Compliance Planning" and while I agree with most of the points Mike Riley makes, I had to think a bit about his words on Encryption.

He isn't saying not to use encryption, on the contrary, he is saying that encryption is a must, but the advice is sound.  Be careful what you do and the ramifications.  With compliance systems, often search and rapid retrieval are key and these are some of the most plausible arguements against specific applications of encryption.

As always, look before you leap.  I guarentee that if you think about where you should be using encryption you are already ahead of most.

Windows 2003 Server Pack 1 has a new capability that you might want to look into called Quarantine VPN.

With this technique you can validate that all clients that connect to your VPN meet specific requirements before they actually get access to network resources.  Microsoft has been doing this on their network for quite a while now and they have finally given everyone else that uses their products the same capability.

For details on how to implement it and a more in depth overview on Quarantine VPN read this Technet article.