And yes, lanman hashes are still computed and stored by default in the SAM even on W2k and XP but it is possible to disable the generation of these (don't remember the exact reg key, but it is possible...)
Yep, indeed this is true. Just pointing it out because I see this enabled on 95% of the machines I look at.

Here is the regkey:

Function Do Not Send LanMan Password
Hive HKEY_LOCAL_MACHINE
Key \System\CurrentControlSet\Control\Lsa
Value LMCompatibilityLevel
Type REG_DWORD
Data 0-5
Benefit This parameter specifies the type of authentication to be used when an NT client is authenticating to another machine. Setting this value to 4 or 5 may prevent Win9x clients from accessing server resources.
Level 0 Send LM response and NTLM response; never use NTLMv2 session security (default).
Level 1 Use NTLMv2 session security if negotiated
Level 2 Send NTLM authenication only. Never send LM authentication.
Level 3 Send NTLMv2 authentication only.
Level 4 DC refuses LM authentication.
Level 5 DC refuses LM and NTLM authentication (accepts only NTLMv2).