Found a very helpful and informative Microsoft KB article on domain security settings, with detailed info on each setting, what happens if enabling it, and compatibility problems that may occur.
For example, it recommends setting "Network security: Lan Manager authentication level" to NTLMv2, because of known security problems with the default LM- and NTLM-protocols. Personally I set this to "NTLMv2, refuse LM & NTLM" in a Group Policy in Windows domains I manage, to get the best protection against attackers that sniff password hashes off the local network.