I always surf with JavaScript disabled, because popups annoy the hell out of me. I also surf with cookies disabled.

I have two other security zones that allow me to enable cookies (for PerlMonks) and cookies + JavaScript (other trustworthy sites).

I use both, JavaScript and CGI for form validation. This took a bit of design, but I now have (optional) JavaScript that does "immediate" validation without submitting, and a CGI behind that, which does the validation if JavaScript is disabled (it also validates if JavaScript is enabled, but in that case, only valid input should pass). (Yes, this is in a module which I've promised to release several times already. I promise to come forward with the module; in the meantime, you can try http://samson.math.uni-frankfurt.de/~corion/validation for the JavaScript part without the CGI backend.)