Hot tip: the last matching entry in your sudoers file wins. I finally found a sudo tips post that explained this as I had been bashing my head against a wall for a bit to try and figure out why my new rule to allow certain commands with no password wasn't working.

Other good sudo-related hints include sudo -l, which lists, in rule-matching order, what you are allowed to do:

$ sudo -l
Matching Defaults entries for dmcgee on this host:

User dmcgee may run the following commands on this host:
    (ALL) ALL
    (root) NOPASSWD: /usr/sbin/vpnc, (root) /usr/sbin/vpnc-disconnect

Since the vpnc rules come last, they (along with their NOPASSWD tag) will take precedence over the primary rule which requires my password. Finally, when testing to make sure a password isn't required, sudo -k allows you to flush the timestamp associated with sudo so the next invocation will always require a password if applicable.