Machine Policy Administration
The machine policy level holds most of the default security policy. All machine and domain administrators have access to the machine configuration files. Machine administrators can set policy that excludes modification from the user level but not from the enterprise level.
You might consider administering security policy on this level in the following situations:
You are not on a network or are on a network without a domain controller.
The computer you are administering serves a unique function. For example, if you are administering a public computer that is used for general Internet access by several people in a semi-public setting, you might want to have a unique machine policy, because the computer serves a unique function. Additionally, you might want to produce a specific machine policy that considers the security needs of specialized computers, like the servers in your enterprise.