opc.three (3/14/2013)
sa is like the Windows "Administrator" account for the instance. When logged in as sa you can do any action on the instance. Lots of people, including myself, like to disable the Login since it is a well known attack vector. If your instance is in Mixed Security Mode (most are), the sa Login is enabled and someone can crack the password they can gain control of the instance.The public Database Role is a role all Users are a member of. Think of it as the "Everyone" group you see in Windows. It has limited privileges but all Users are a member of it and they cannot be removed from the Role.
Just to clarify: When you change to mixed-mode authentication from Integrated Security the 'sa' account is by default disabled. If it is enabled then it is because a SYSADMIN has enabled it.....