For workstations you should have two separate OUs and thus client targets define within WSUS.
This is primarily to allow you to test whether the patches you approve/apply have no impact on applications.
This in most cases/parts deals with approving/installing an update to the .NET, IE etc. that may have an adverse impact on the proprietery/commercial application that might not work well with newer versions of .NET installed. OR access to a particular web site does not work with the newer version of IE, etc.
You can apply GPO in stages.
At the top of the Domain, the GPO will only define the intranet site only.
The GPOs that apply to the Server OU, Workstation OU and test workstation OU
Would include the client target, schedule, and settings.
i.e. the server OU GPO will have the client target as servers, download and notify.
The workstation OU will differ only on the client target one will have a test_workstation and the other will have workstation.
You should not set deadline for updates as these updates upon installation will forcibly reboot the system even if you define the no-auto restart when there is a logged in user.
The major effect a user will see if an update is applied while they are logged in deals with updates such as the installation of IE8 over IE7. There will be warnings.
updates affecting security of an application/OS will often be transparent to the user.
The transfer of the data whether it is 20kb or 200MB will likely go unnoticed by the user depending on what the user's normal tasks are i.e. if the user is heavily dependent on fast network access, the person may see a slow down. This may not be an issue if the user's system is left and the retrieval occurs off hours.
