Value: 5 : DC refuses LM and NTLM responses (accepts only NTLMv2)
Value: 4 : DC refuses LM responses
Value: 3 : Send NTLMv2 response only
Value: 2 : Send NTLM response only
Value: 1 : Use NTLMv2 session security if negotiated
Value: 0 : default - Send LM response and NTLM response; never use NTLMv2 session security
You MUST read KB Q147706 - How to Disable LM Authentication on Windows NT to understand compatibility issues. Its lists gotchas and implementation suggestions. SP4 added levels 3-5 and added considerable complexity. Also see Q175641 - LMCompatibilityLevel and Its Effects
For commercial networks, I suggest setting LMCompatibilityLevel to 1 on all NT workstations and servers. NTLMv2 will be used when possible and allow LANMAN compatibility for Win95, Win98, and Mac clients. In high-risk networks, set LMCompatibilityLevel to 5 - eliminiates Win9x and its weak authenication requirements. With the introduction of Windows 2000, Microsoft has provided a method to add NTLMv2 support into Win9x clients. You do this by installing and uninstalling the Directory Services Client included on the Windows 2000 CD-ROM. The installation updates the authenication components in Win9x to NTLMv2 compatibility and when the client is uninstalled, these enhanced system components remain! The steps needed to add this functionality is documented in Microsoft's kb article Q239869 (article offline 4/26/2002). With this enhancement, it is no longer necessary to have an all NT workstation environment to gain NTLMv2 authenication.