Smoothwall requires DHCP which I do not run.
I like Linux but the learning curve at a time when
I am troubleshooting IIS publication failures is not
the best option right now.

Agreed, a good firewall is required but I think
I have to find the existing problem and cure it.
Then investigate firewall alternatives.
Lets face it, everyone commenting here has their own
solution to firewall protection. No one size fits all.
I am using ZoneAlarm Pro controlling what can come in
and what can go out. I would like to find the easiest way
to trap the attackers IP so that I can block them.
A passive approach suits me fine as long as I can keep
my servers safe. It appears that the current attack continues
until the IIS publishing service is compromised then the
events no longer show failed audits. During the attack,
publishing seems to stop and restart a few times then it stops
completely.

My priority is to enable IIS to provide continuous web page publication.
There is no notification it just stops web serving and there is
no reporting in events or anywhere else, even IIS itself is still
running. Once I have done that I will diligently investigate
and apply the best firewall I can. And then I want to be proactive
about prevention. This cure business is a real pain.

Appreciate everyone's comments they are very helpful.