We got nailed two weeks ago by Conficker, I ran through the 26 step checklist from Mircrosoft on my own computer, as well as on our domain server. It says near the end to reverse all the changes, but I kinda like the changes (Disables Autorun and some other settings).
Is there anything in that fix that'll come back to haunt me down the road?
Also, maybe the group policy never took effect, I couldn't quite tell. Do your policies have to be placed on computers or users (or does it matter?) for this fix?
Yes, there are some group policies which help stop Conficker from spreading.
There is a Microsoft support article: Virus alert about the Win32/Conficker.B worm. Look for the "Prevention" section.
Can you scale back your protections against Conficker?
The article you linked has a lot of good practice, that in my humble opinion, you should keep. Isolating old hosts from the evil internet, having your boxes patched with up to date AV, and keeping AutoRun disabled are good ideas. Strong password rules with regular rotations is probably the most controversial change if you're not doing it already since it will require institutional changes. But auto-patching has been default behavior in Windows since WinXP SP2 and auto-run defaulting to off will be in Win7.
Whether it's time to deactivate the group policy is going to be based on whether you feel you still have potetially infected systems in your environment. If you rebuilt and patched everything, it might be time.
If you want a good protection against Conficker, you can configure you computer or router to use OpenDNS. They maintain a list of site that spread conficker and block them right away.
You can also block many other things with it like a majority of spyware site, scam, phishing etc...
This is very useful and it add a major security layer on your network.
The OU I work on within our company never got hit by Conficker, here's why:
I can't think of any reason as why users would be allowed to install their own USB peripherals. So my advice is to leave the GPOs as you activated them during the Downadup/Conficker spread.
Autoplay / Autorun is not required to be all or nothing solution.
We have a sensible solution that we allow autoplay / autorun on CD ROM drives but do not allow it from any writable media, hard disk.
This setting is available thru GPO.