Opc.Three and Steve are dead on. I would take a step back and take an inventory of who has SA rights, who has local admin rights on the box, etc. I posted an Instance Security Audit script previously on this site, URL below. I use it all the time to get a handle on who has what rights in SQL Server, even does object permissions for each database. You will have to examine the local box Windows permissions separately. Doing these should at least give you a starting point, and possibly some arguments to restrict some accessibility that some users have that maybe don't need it. Just because it is Express Edition doesn't mean that security should be open.

Restricting box access and being very stringent on the database rights (access to only the tables they need, etc.) are good starting places. Sure beats doing nothing.

URL for Instance Security Audit documentation:

http://www.sqlservercentral.com/Forums/Topic1251262-146-1.aspx?Update=1

Hope this helps.