A few things:

Locking down W2K3 is *almost* identicle to W2K and in your case, will be the same as a 2K lockdown. Do the standard stuff that you would on any W2K server.

Using a standard AV client can do damage to the mailstore on Exchange (you mentioned internal e-mail). Look into the appropriate method of AV protection on the vendor's site. You didn't mention which AV solution you are using. If it's Symantec, they make something specifically for Exchange.

Your perimeter will be sufficiently protected if you install the IOS that includes FW capabilities (which I'm sure you are).

Group policy can be pressed against the law of diminishing returns. There is a point where it is more of a pain in the ass to setup than simply configuring the workstations. In your case, since there is no admin onsite, the road you have mapped out sounds reasonable.