At the moment there's very little orphaning of blocks, and next to no occurrence of two-block side chains. Unless you're dealing with large amounts (larger than two block rewards worth, probably), your chances of attack are incredibly incredibly low. If you're dealing with amounts less than a few BTC, I'd personally be happy accepting one-confirmation transactions.
There's no specific flags for bitcoind that you can use to control confirmations, it's all in your software's side. Generally if you're a merchant, you should avoid having a listening node (set listen=0) just to be on the safe side. Be sure to be using cold storage if your server accumulates a target-worthy amount of currency, by sending off to an address that the server does not know the private key of.
If you're not using walletnotify to control your internal accounting system, you probably should.
You can mark the money as arrived straight away really. What you should not do is allow the money to be transferred out while confirmation are less than 3 or 5 or whatever. It depends what you service does? If you converting to fiat currency you want more confirmations. If you running a poker game it does not matter as your engine can backtrack any invalid transactions and you just disallow out transfers if an account has not fully matured the transactions. This will prevent hit and run fraud but allow legit users to experience fast deposits. – Piotr Kula – 2013-09-19T09:51:56.660