if the router is set in nat mode that should cover most of the inbound protection, if any ports are forwarded, try to limit them to specific IP's within the router.
outpost 4.x runs on win2k3 (and have a 64bit version) although i wouldnt recomend it, he would do better to tighten up & configure the server properly, rather than trying to cover up open holes
i run a 2k3 std server but am confident in my config & routers inbound protection.
just make sure he disables any un-needed services/roles and keeps it up to date.
from what i understand he wants to do is, is what i have done with my BSD box (thanks to lord geffy and X) using PF, but he wants to do this on windows, server will sit there and be used as ftp, web, and storage, all other connections to the router will mainly be internal (some inet use) but they want to lock it down so that only the server can be reached, and only for web/ftp - port 80 and 21 (poss pasv for ftp).
For the ftp he would like to use per ip restriction. - i am looking at ftp serve progs for him - may settle on gene6
I prefer to block out potential threats at the firewall level rather than at the service level. Relying on the service to block out IP's makes it to easy to leave a hole accessible because of misconfiguration or because of a hole in the service itself. If it is blocked before it even reaches that level, there is no further worries.
the router & the xp firewall can do a great job of inbound protection. couple that with a well configured/up to date OS and there is no need for a separate (software) firewall.
the only reason you would really need a 3rd party firewall is for outgoing application control.
3rd party firewalls can cause conflicts with drivers & slow down your network, steer clear on a 2k3 machine.
windows firewall can limit apps/ports to ip's/range's or even just limit to local subnet only , but the best place for that is within the router.
dont just forward ports, forward ports and lock down the ip's within the router.
windows firewall gets a LOT of flak, usually because people let their pc's get infected with spyware/virus's and the firewall getse asily bypass'd/disabled.
however on an up to date/configured server, spyware/virus's wont be an issue (unless a user logs in and browses on the server) so it would be pretty hard to get disabled.
I've been running Untangle for a bit now. It wouldn't run as a Windows app. Ideally you'd run it on a separate PC. You can run it as a virtual machine with VMware server (completely free solution). The VM method will require system resources. Untangle offers a good deal of security. Firewall functions, anti-virus, anti-spam, anti-phishing, etc. It's a pretty nice little package. Check it out.