After some testing on the VML zero-day exploit for Internet Explorer, I have managed to verify that hardware-enforced DEP will prevent the exploit from launching. IE will simply generate a DEP error asking you if you want to make a DEP exception for Internet Explorer (which you should say NO) and crash Internet Explorer. Without hardware-enforced DEP, my test machine would have been owned by a ton of Malware from the websites I was testing on.
This is the third time in a row that hardware-enforced DEP has preemptively protected me from a zero-day Internet Explorer exploit. The first time I verified this was with the WMF exploit, the second time was a zero-day IE exploit this March. Therefore I highly recommend people enable DEP protection in Windows XP SP2 and Windows Server 2003 SP1 and never buy a CPU without NX or XD capability. This DEP guide I did earlier this year is still relevant. It doesn't have the newer CPUs listed but they all have DEP capability except the cheapest Socket A CPUs from AMD. But even with hardware-enforced DEP enabled, it is still a good idea to implement the workarounds for this VML exploit.
According to this blog (via Alex from Sunbelt BLOG), even software-enforced DEP will mitigate this VML issue. This was not the case in the WMF zero-day exploit when only hardware-enforced DEP would work which means it isn't worthless in all situations. So even if you don't have a modern CPU, you should follow this guide and implement DEP. I'm a bit nervous about software-enforced DEP because Microsoft originally stated that it would work against the WMF exploit and then had to retract that claim. But it's better than nothing I guess.