Microsoft Knowledge Base Article 309798 contains the following summary:
This step-by-step article describes how to configure TCP/IP Filtering on Microsoft Windows 2000-based computers.
Windows 2000-based computers support several methods of controlling inbound access.
One of the most simple and most powerful methods of controlling inbound access is by using the TCP/IP Filtering feature.
TCP/IP Filtering is available on all Windows 2000-based computers that have the TCP/IP stack installed.
TCP/IP Filtering is useful from a security standpoint because it works in Kernel mode.
In contrast,
other methods of controlling inbound access to Windows 2000-based computers,
such as by using the IPSec Policy filter and the Routing and Remote Access server,
depend on User-mode processes or the Workstation and Server service.
You can
layer your TCP/IP inbound access control scheme by using TCP/IP Filtering with IPSec filters and Routing and Remote Access packet filtering.
This approach is especially useful if you want to control inbound and outbound TCP/IP access.
TCP/IP Security controls only inbound access.