Why is the domain users group a member of the local users group on windows servers?

The Domain Users group is Added to the Local Admins group by default. It's necessary to have it that way because Every User in the domain is a Domain User, even the Domain Admins. There isn't really a way to block regular domain users from being able to log in locally to a Domain Controller, because doing so would block users from logging in to any computers on the network. However, domain users do not have enough access to make major modifications to Active Directory or the files necessary for AD to operate. A regular Domain User, by default, can't easily break a Domain Controller if they are able to log in to it.

I noticed the Domain Users group is added to the "Local Users" group on every member server in our domain too. I just did some testing on a Windows 2003 member server, logging in as a typical domain user on the 2003 console I cannot delete any files or folders on the C:\ volume that I (as the domain user) did not create. I cannot even create a file on the C:\ volume, however I  can create a folder and then create files inside the folder I created. I can also delete files from this folder and can also delete this folder but that's about it.

However, I can also run Adobe Acrobat from the C:\Programs Files\Adobe folder, so this tells me a domain user has the capability to run executables on this server. This is not a good thing and a possible security risk.

The Allow Log on Locally right, yes I forgot about that, so many policies and groups to keep up with. :-) I believe that should work for me.

Setting the  Allow Log on Locally right on the DC's should keep users from logging into the domain controller's console, but not from logging into the network from a workstation, right?

By default, a user needs to be more than a user/domain user to logon to the console on a server. Only the various administrators have the logon locally right. By default, if you haven't gone changing NTFS, rights, or groups your servers should be reasonably secure. A bigger concern would be places where NTFS permissions allow everyone or users WRITE access over the network where they should anly have READ. Windows 2008/R2 do a good job of having reasonable security settings. Windows 2000 defaulted to EVERYONE full control.

The Allow Log on Locally right is set for the domain controllers as a group, and then all other servers and workstations can have their own settings. Normally you don't need to change them unless you have unusual requirements like normal users logging into a server or workstations where certain users are prohibited from logging onto.

This question was not answered:
Setting the  Allow Log on Locally right on the DC's should keep users from logging into the domain controller's console, but not from logging into the network from a workstation, right?

I can also run Adobe Acrobat from the C:\Programs Files\Adobe folder, so this tells me a domain user has the capability to run executables on this server. This is not a good thing and a possible security risk.