As someone who just became aware of this issue it was quite confusing with all the windows updates and registry hacks being suggested, to understand what I really needed to do. Two suggestions to add to your post.

1. Please add one more update to your section "Can I turn off autorun? What is the disadvantage of turning it off?" You can copy it exactly from the update posted from the US-CERT site

"Microsoft has published Microsoft Knowledge Base Article 967715, which describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement. After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to all affected systems. The previous update, described in Microsoft Knowledge Base Article 953252, was only available through Microsoft Update for Windows Vista and Windows Server 2008, and for manual installation on other affected platforms. Microsoft states the that systems that already applied the update from Microsoft Knowledge Base Article 953252 do not need to apply the update from Microsoft Knowledge Base Article 967715 because the changes are the same. Additional details about the update can be found in Microsoft Security Advisory (967940). Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun as effectively as the workaround described above."

2. You might want to recommend a piece of software called "Autorun Settings 1.1" in addition to Panda. It makes it very easy to selectively disable specific Autorun features. I personally like to keep the Autorun feature operational for the CD/DVD player.

here’s some more

we run both Windows and Linux/Samba servers

On Samba I use:
veto files = /copy.exe/host.exe/autorun.inf/RECYCLER/ in the share definition.

On Windows shares I create an autorun folder with no rights.

We don’t run (M)AD so I enforce the NoDriveTypeAutorun through a Kixscripts login script.

that’s the reason U3 technology was developed in the first place – the CD drive impersonation allows U3 compatible USB devices to get around that limitation and have their contents executed as soon as the device is plugged into the computer rather than waiting for someone to click on the drive letter in windows explorer…

also, you didn’t mention it but the autoplay menu can include entries specified by the autorun.inf file that point to programs on the USB device itself rather than just programs installed on your computer…

This only works with NTFS – NTFS is not “officially” supported on removable media (you can hack it to make it work, but that’s an other question).

Even if the USB stick is formatted to NTFS, you would have to trust the owner of the stick that s/he set the right permissions before s/he gave it to you.

It is easy to goof up and set the deny rule to be inherited.

The main problem aren’t the local hard disks, rather USB sticks and network drives.