Microsoft Knowledge Base Article 816792 contains the following summary:
This article describes how to configure TCP/IP filtering on Microsoft Windows 2003-based computers.
Windows 2003-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is to use the TCP/IP filtering feature. TCP/IP filtering is available on all Windows 2003-based computers.
TCP/IP filtering helps with security because it works in kernel mode. In contrast, other methods of controlling inbound access to Windows 2003-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on user-mode processes or the Workstation and Server services.
You can layer your TCP/IP inbound access control scheme by using TCP/IP filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control both inbound and outbound TCP/IP access, because TCP/IP security alone controls only inbound access.
Note TCP/IP filtering can filter only inbound traffic and cannot block ICMP messages, regardless of the settings that are configured in the Permit Only IP Protocols column or whether you do not permit Internet Protocol 1. Use IPSec Policies or packet filtering if you need more control over outbound access.
Note We recommend that you use the Configure E-mail and Internet Connection Wizard on SBS 2003-based computers with two network adaptors, and that you turn on the Firewall option and then open the required ports on the external network adaptor . For more information about the Configure E-mail and Internet Connection Wizard, click Start, and then click Help and Support . In the Search box, type Configure E-mail and Internet Connection Wizard, and then click Start Searching . You can find information about the Configure E-mail and Internet Connection Wizard in the Small Business Server Topics result set list.