I agree whole heartedly with the comments in this blog posting about why local GPOs matter, except for the last few sentences. If local GPO processing is turned off once a computer is joined to the target domain and is receiving domain-based GPOs, you have a problem if that computer is logged on locally (using a local, non-domain account). Working in the DoD environment, we actually use our local GPOs to lock down the computer to a stand-alone posture that is at least as strict as the domain GPOs (or even more so). That way, whether the computer is logged on as a domain member or as a local computer, the box is fully protected. Clearly, only local administrators should be able to logon locally to any domain-connected computer but that doesn't relieve a very real necessity to ensure that the security posture is not lowered when the domain is not there to protect it.

DISA Gold Disk, which is generally unloved by most sysads, is still the standard by with the DoD does business. Whether the policies are applied via the domain or locally, they still must always be applied. Our standard operating practice is to lock the local box down extremely tight, and relax the settings using domain GPOs (where possible).