Yes, and yes.
DNSSEC is the first successful attempt to add a security standard to the light-weight DNS infrastructure protocol. DNS must remain light-weight in order for the Internet infrastructure to operate efficiently and quickly serve requests to users. DNSSEC is backwards compatible and remains light-weight enough that DNS is efficient.
DNSSEC can be performed by the DNS servers without the knowledge or participation of client computers. The term DNSSEC aware is a bit redundant since DNSSEC is backwards compatible. A DNS server that does the DNSSEC validation will deliver trusted responses to DNS queries. Specifically, the DNSSEC standard means that at the time the response is sent by the DNS server, the DNS server must have cryptographic evidence that the response is correct and trusted, otherwise the DNS server sends nothing.
The main issue at hand is that DNSSEC is not fully implemented on the DNS servers. Some servers implement it, some do not. If a client is configured to require that the DNS servers do DNSSEC validation, then the AD flag you mention is redundant, particularily since a DNSSEC server should not sent untrusted information to clients. Windows computers can be configured to rely only on authenticated DNS responses, and this is what Microsoft means when they discuss 'non-validating DNSSEC-aware computers'. See their discussion, for details.
As you observe, since the DNS server is doing the authentication, and the client is not, it is possible for attacks to be inserted between the server and client. Such attacks could include poisoning of the client's local DNS cache and spoofing of server responses. From a security stand-point, one would want the client to validate the DNS response. However, there are probably implementation and efficiency obstacles for creating such a system.
