It sounds like you'd do well to get some background information on Group Policy before you begin making changes. Some background information on Active Directory would probably help you, too.
I'd recommend strongly against modifying the "Default..." Group Policy Objects (GPOs) that are created in Active Directory by default. You can create your own GPOs that contain your custom settings. By leaving these settings in their default state you create a situation you can disable all your custom GPOs and return everything into a default state.
To answer your specific queries (at the risk of repeating what TechNet says):
The "Default Domain Policy" is a GPO created during the creation of your Active Directory domain that contains settings that, by default, apply to all computer and user accounts in the domain. (Using the "Block Inheritance" functionality on individual OUs allows this behavior to be overridden, but that's more of an advanced topic.) The main default setting that comes out of this GPO is the domain password policy. This setting controls the parameters associated with user account lock-out and user passwords (length, complexity, expiration, re-use).
The "Default Domain Controllers Policy" is another GPO created during the creation of your Active Directory domain. It contains settings that are only applied to Domain Controller (DC) computers (that is, those computers that host copies of the Active Directory database and perform authentication functions). The main default settings that come out of this GPO in Windows 2003 and newer Windows versions are to limit the DCs to "talking to" clients that support digitally-signed Server Message Block (SMB) packets. The purpose of this setting is to increase security.
The specific details of how Group Policy is applied by users or computers is somewhat involved. In general, though, Group Policy objects are applied in the order they are encountered starting at the top of the domain and proceeding down through OUs to the computer object. The easiest way that I can relate to think about "precedence" or "conflicts" between GPOs is to imagine that all the settings are applied as each GPO is encountered, with the "effective" setting being the last setting applied to a given item.
An example: A GPO is linked at the domain sets the computer's "Offline Files" feature to "Enabled". Another GPO is linked at the OU where the computer object is located that sets the "Offline Files" feature to disabled. Because the last GPO to be applied would be the GPO linked to the OU where the computer object is located is applied last the "effective setting" for the computer would be to leave "Offline Files" in the disabled state.
The "Block Inheritance" and "No Override" functionality add complexity and powerful functionality. WMI filtering, security group filtering, and loopback policy processing add a lot of additional complexity, too, and are worth learning about. I wouldn't recommend learning about any of these features, though, until you have a good background on the general behavior of the product.
Best Answer
What you're looking for sounds like a simple thing but it really isn't.
When you say "all browsers" I tend to think that you're talking about third-party web browser software (Google Chrome, Firefox, Opera, wget, curl, etc). You're going to find that third-party web browser software is less amenable to being controlled by Group Policy than Internet Explorer.
By "downloading" I think you're saying "saving the contents of HTTP(S) accessible resources to disk files while still allowing the user to view web pages". Considering that's exactly what a browser does when accessing web sites to allow users to view pages I think you're going to have a tough time of this. If the machine is able to arbitrarily communicate with other hosts via HTTP(S) and the user can execute arbitrary code then users can "download".
Your options are to remove the user's ability to execute arbitrary code and/or remove the ability for the computer to arbitrarily communicate with other hosts. Software Restriction Policy is your best bet for the first, and a web filter device / application is your best bet for the second.
You can play games with the IE "Security Zones" and other settings via Group Policy but a determined attacker is going to be able to get around such games even if they can't execute arbitrary code. If the attacker can just run a copy of wget they bring in on their own storage media then all the Group Policy machinations in the world aren't going to help you, either.