Whole heartedly agree.

I also remove all rights assigned to the PUBLIC group/role so that a user has to be explicitly associated with a specific role. You don't come in one morning and find a strange IUSR_WebServer user in your database!

I also use NT security with a lot of my database, but NOT the NT administrators group.

I'm fortunate in that I can dictate exactly what goes on in my database so I also remove any direct on tables so that everything has to come via stored procedures.

I find that once my developers see the performance increase of stored procedures and realise how much simpler a stored procedure makes their life I find they become absolute zealots on the subject!