First question - It really depends on what you are trying to protect against. If you need more than Microsoft's defaults to address a risk scenario, yes, you have to add policies and rules to address them. Do you have a specific concern that is not addressed by an MS default? If not, follow the security principle of "keep it simple" and use what Microsoft has provided.
Microsoft's suggested use cases are: Standard protection: A baseline protection profile that's suitable for most users. Strict protection: A more aggressive protection profile for selected users (high value targets or priority users).