Yeah, there area so much improvements, but the security scheme sometimes annoyed me when I worked with 2003R2 over 2000. 2003R2 refuses VPN when you don have already registered the domain, 2000 mounts the VPN by IP normally, the stack of the IP tables when you use more than a one NIC to internal traffic prefetches only one net nic, and the others do not respond to a ping refusing to respond. 2000 doesn't have this problem. It was solved putting a Gigabit Hub and only one net nic to internal net. It has stopped the problem, but the registering of the domain here in Brazil cost a lot compared to US. We Killed the VPN where 2003 is installed and we start to use another solution.
I really don'tknow if there is a problem with misconfigs with the VPN, but it has happened.
Another major problem that I've found on XP/2003 is the annoyance to be obligated to use the name of the machine instead of the IP Adress to wipe out the message to the users. ( Do you want to run the software from X.X.X.X ? ), the mapping to the name of the machine solves the problem, but if the IPtables or ARP entries is not givem, a broadcast is sent to all of the entire subnet to convert the names into IP address. I found it much more simple when 2000 + 2000 = map via IP and no bother, and no initial broadcast.
But when compared to 2000, 2003 R2 is a lot more secure under heavy attacks, there was a time when a hacker tried to log spuffing the IIS for 12 days and did not surpasses the IIS security. When we where on 2000, the system wasn't hacked, but stops to respond. 2003 R2 write a log of the mislogon and continues OK.