First visit User settings. You can control how liberally it is possible for users to create new accounts. For a single user site it's best to only allow site administrators to create accounts, and the other end of the spectrum is to allow anybody to create an account without administrator intervention.
It's best to require e-mail verification before registration can finish, because otherwise you're wide open to spammers. However it's been observed that sometimes valid people enter valid email addresses and then never receive their registration email, perhaps due to overly rambunctious spam filters. Sigh.
Now let's look at the Roles area. A role defines a group of users that have certain privileges as defined in user permissions. Out of the box Drupal gives you two roles, the Anonymous User and the Authenticated User. You might also want Editor or Administrator roles which have extra powers. A lot depends on the set of users and what it takes to manage the community which forms around your site.
By itself creating a new role does nothing. A role takes on meaning only when you assign permissions to the role. This is done in the Permissions administration page, and there is a long list of options here.
For example under the blog module are these permission choices:- create blog entries, delete any blog entry, delete own blog entries , edit any blog entry, edit own blog entries
That's a pretty straightforward set of permission choices. You'll notice there is one column of checkboxes per role, so to enable a given permission for a given role you simply click on the checkbox at the correct intersection. For example if your site allows multiple users and you want everybody to be able to blog then in the authenticated user column click on create blog entries and edit own blog entries. If you have created an editor role they should have the rest of the permissions to delete and edit any blog entry.
Under the comment module are some important choices to control who can comment, and the level of approval required. Choose carefully here as spammers can latch onto your commenting system and spew spammy comments into your site.
Under the node module it's important to check the access content permission. If access content is turned off for the anonymous user then the site will be invisible unless the user is logged in. Maybe you want to run an invisible web site, but most of us want our web sites to be visible to everybody and this permission should generally be enabled. Also under node module are permissions similar to those of the blog module, for for most of the other content types.