A domain offers centralized control of resources, which is useful in larger
networks. It does not, however, make anything more secure. In fact, a
misconfigured domain in which users have excessive rights can be very
insecure, since those rights will apply to every computer including the
server, not just their own.
Regardless of that, I would suggest that selecting one computer as the
centralized file store is a better way to go, securitywise. Backup is then
much easier, and you can stop the server service on machines with no shares,
which closes several attack-vectors.
As regards workstation security, running as a limited user and/or
implementing a software-restriction policy are good options. With both of
these in-place, malware will find it very hard to gain a foothold.
Providing you are using Firefox, IE8 or similar, and NOT IE6, the online
security issue stems mainly from plugins. Therefore minimize the number of
plugins and you minimize the attack-surface. Those which you do retain, keep
patched. Those which you seldom use, consider removing or disabling. The
Adobe Reader plugin is especially a case for removal, as it is NOT needed to
read Acrobat documents, only the reader is needed. Java is very seldom used.
Quicktime, occasionally. Flash, well you can't really do without that so keep
it patched.