Here is what I have found to be a pretty good way to go that won't break the bank.

For an organization this size I use Backup Assist (http://www.backupassist.com). It leverages Windows Backup and has agents for Exchange and SQL.

I then break things into three categories and treat each slightly differently.

Level 1
The things you call critical such as active email, source code, CRM, financial data, etc.
This stuff gets backed up daily and depending on my level of paranoia (how screwed we are if we lose X days) I copy it offsite either to an alternate office or if none exists (your scenario) to either a hosted server at a datacenter somewhere (max on the disk and bandwidth and min on all else which is much less than you $750 per month) or to a server connected via VPN to the company principle's house (poor man's hosted server).

Level 2
The things that change often, but just aren't level 1 such as home directories, business shares and other data.
Data in this category gets weekly backups and usually gets posted monthly to a large USB drive which gets rotated with its twin monthly. The drive with the current data is brought offsite for storage (again maybe to the company principal's house or maybe a safe deposit box). When the new drive is delivered the old one comes back to be used for the following month's backup.

Level 3
These are the unchanging files like images, email archives and stuff.
You can either burn these to optical media (if you do muliple copies with one going to the company principal's house(s) and a copy to the safety deposit box if you got one) or you can lump this onto the USB drive shuffle.

Hope this helps those who might be looking for this kind of insight.

The topic of the AT command and the command prompt came up on an internal list I am on with Microsoft the jist of which was, "How do I securely turn this junk off".

The answer is that to some degree the command prompt and especially when coupled with the Task Scheduler is a security hole that is closable, but not trivially.  You can patch it using things like this http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93465.mspx?mfr=true
and you if you really want to wipe out the user's option you should reset the task scheduler service to use a low / no priv account and disable it (I am paranoid, but I have my reasons). The problem is that the perspective of most that come up against this is that you shouldn't have to do this, but the reality is that you do.

For a scary look at why simply taking the RUN command off the Start menu is not enough try the following:
Open up "Help and Support" from the Start menu and seach for "command". 
Select the entry that describes how to "Test a TCP/IP configuration using the ping command"
You will see that there is a link that will open up a command prompt (it doesn't run as System, but it runs). 
That is the XP version. 

The Windows 2003 Server one takes more searching, but it is there.

The issue is not that the functionality exists, we all want functionality.  The problem is when it is hard (or impossible) to shut something off effectively it is maddening and often leaves people dismayed.

Time for an analogy:
I have doors on my house that I leave unlocked all the time.  The dogs and other things in the house keep it secure (if you know me then you know what I mean), but if I wanted to secure those doors and found that I could lock them, but the manufacturer set them up so that the hinges were on the outside and manipulatable by an intruder then I would be unhappy.  Most security outrage and dismay comes from features that just didn't take security into consideration for the times when I don't want the user to do anything except what the user is told they can do.
 
This will always be an arms race.  If one of our professional security gurus such as Duane Laflotte wants to get in and has physical access to a workstation or server then he can get in, but there is a point where I will say, yes I accept that there are some things I can't defend against.  If you use a tank to blow in my front door, I won't moan to the manufacturer about them not being tank proof, that is what the mines are for ;)
 
Is Vista the solution to all security problems?  I doubt it.  I expect that there will be improvement based on features I already know are in the most recent builds, but I won't judge the security of Vista until after it ships (and won't pay all that much attention to it until then either) since the devil is in the details and the truth is in the final bits.  Submarines either leak or they don't.  The OS will be judged in much the same way in regards to security.

Ultimately information is power.  Nowhere is that more true than in the realm of security.  I suggest that you learn all you can and I will do what I can to help.

There are many varying opinions on almost everything, but Compliance is one of those topics like economics, everyone has a different opinion it seems.

I was reading an article by one of the Systems Engineers at Network Appliance entitled, "Six Tips for Archive and
Compliance Planning" and while I agree with most of the points Mike Riley makes, I had to think a bit about his words on Encryption.

He isn't saying not to use encryption, on the contrary, he is saying that encryption is a must, but the advice is sound.  Be careful what you do and the ramifications.  With compliance systems, often search and rapid retrieval are key and these are some of the most plausible arguements against specific applications of encryption.

As always, look before you leap.  I guarentee that if you think about where you should be using encryption you are already ahead of most.

Windows 2003 Server Pack 1 has a new capability that you might want to look into called Quarantine VPN.

With this technique you can validate that all clients that connect to your VPN meet specific requirements before they actually get access to network resources.  Microsoft has been doing this on their network for quite a while now and they have finally given everyone else that uses their products the same capability.

For details on how to implement it and a more in depth overview on Quarantine VPN read this Technet article.

The concept of Least Privilege is applied to developers and software testers all the time to advocate that the application be developed and tested using the lowest privileged account possible to get the job done.  For our purposes (network administration), I am referring to using administrative accounts for administration only and regular user accounts for everything else including word processing, research (aka web browsing) or the ever popular solitaire!

This is about using the proper tool for the job. If you wanted to trim some leaves from a tree you would be thought a bit odd if you decided to use a chainsaw, especially if the same job could be done easily with a pair of scissors.  Why is this something almost everyone recognizes as inappropriate?  Because the potential for you to do damage is huge! There are certainly people out there who will be able to perform the task with the excessive firepower and not lose a limb, but why take the risk?  As an administrator, hitting the delete key by accident and inadvertently accepting the confirmation becomes a major problem as the odds of you having the rights to carry out the delete are much higher then if you were logged in as a normal user.  When you delete a directory on a network share you can’t just go to the recycling bin on your client machine to undo the damage.  Administrators even have the ability to change the permissions at the root of a system volume which will usually render the operating system unusable (requires a restore or rebuild).  Why would you want to have these unnecessary risks when it could cost days of downtime.  Claims that it is inconvenient to keep track of two logins are the most common justification.  Now that network operating systems have tools like the Windows “Run As” this is a hollow excuse. 
See developers and network professionals are that different after all!

Alot of sources say that you should rename your administrator account on your windows systems and windows network.  While I agree with this wholeheartedly, you need to take the war to the hacker.

First, renaming the administrator account to admin or adm or something equally obvious when seen doesn't cut it.  You need to get evil.  If you rename the account (and you should) then rename it to something indistinguishable from the rest of your accounts.  Remember that internal threats are real and your uses can usually see the entire user list.  Pick someone you went to school with that will never work for your company (at least not while you work there) and rename the administrator as if it were that person's account according to your standard naming practices.  SJones for instance for Susan Jones.  Also fill out the record with a description, etc.  For larger companies you want to make this impossible to discern by a typical user from someone working in a remote office or maybe a temp that never got deleted.  Understand that this is easiest when you first setup the machine or network, but can be done long after if you can bring yourself to do away with using the Administrator account for services or regular network maintenance.

So now you have an administrator that no one can identify from just looking at the user list.  The SID for the administrator account is still the same and we can't do much about that, but we take what we can get.

Next move is to create a new account named Administrator.  Give it a nightmare password (14 or more characters with mixed case and symbols everywhere) and then turn on auditing for failed logins at a minimum.  Now you have setup a scenario where no one has any business using the administrator account for anything except hacking.

If you follow this tactic for all privileged accounts so that Exchange runs under MKelly and SQL Server runs as PRobinson then you have just taken a lesson from Sun Tzu and applied it to your system security.  Machiavelli would be proud!