Check out this article:
I think it will answer most of your questions nicely.
And Sam Swift has posted this:
This should give you a good deal of info to work a solution that makes sense in your environment.
My suggestion would be to leave it in Medium unless you are actively removing malware regularly from individual systems. And in that case, find out what these persons seem to be doing that gets them in regularly trouble, then deal with that.