I only have experience of server and gateway mode, running with a real IP on the net.
Your biggest security risk here is your usernames and passwords - if the usernames are names then make the passwords long (8+ characters) and alphanumeric. If your users choose poor passwords, hurt them
If you just installed SME as a 'Server and gateway' and didn't fiddle with it then you are *probably* secure. By default SME will only relay mail for domains it knows about, so concerns on port 25 can be allayed.
Ports 80 and 443 are http and https so are needed for the webserver thats running. This is not insecure unless you create and upload a poorly designed website.
Port 113 is the ident service. From what I can make out, this is needed for the 'server' side bit of being a webserver - and so it does not represent a security risk on SME.
Port 465 is for secure SMTP, this would allow your clients to connect from the internet and authenticate to send email that is not for your domain, i.e. outgoing email. It is not a problem unless you have poor passwords.
So, in summary, those ports are needed for SME to use for normal email in, out and web serving traffic.
Of course, if you fiddled with it all under the hood, then you should seek more detailed advice - and probably disconnect it if you are unsure.
Finally, GRC.com is showing the results for the server, the clients are presumably on the lan behind the SME Server and are therefore protected. You can run a persoanl firewall on the clients as well, I personally feel that its overkill on small networks where user education is much more important than user confinement .....
Here is an anecdote that may prove the importance of long passwords ....
I once setup an SME server on a public ip which only had one user account, no published MX record and no dns (making it fairly anonymous and only findable by port scanning. After 4 days the one user account had one piece of spam in it - the b*stards had plugged away at the server until they brute-forced the email address david@millfarm.org and it was accepted as a valid incoming email address. The moral is, there is no security in obscurity, they will find you and they will keep trying until they get in or you wear them out .....
David.