Make sure you use the Custom Installation.
Deselect everything except Anti-Virus\Spyware.
Pay attention on next dialogs: We DO NOT want to enable auto-protect and we DO NOT want to run Liveupdate.
Once installed - open the Configuration panel > Change Settings.
Under Centralized Exceptions > Click Configure Settings
Add Exceptions for the following directories:
For a DC
For Exchange servers
C:\Program Files\Exchsvr (2003) or the Exchange Partition - you should in theory have it installed in its own partition in any case.
Include any data partitions - we don't want Symantec scanning shared drives, etc.
E:\* or whatever
Go back to Change Settings
Under Antivirus and Antispyware protection > Click Configure settings
On the File System Auto-Protect tab
Check Enable auto-protect
For File Types > Uncheck "Determine file types by contents"
Under Options - Uncheck "Scan Files on network drives"
Click Advanced Uncheck "Enable Risk Tracer"
Click Heuristics - Uncheck "Enable Bloodhound"
That should do it - a safe level of protection without hindering the server from doing its job.