BlackIce Defender is primarily an IDS (Intrusion Detection System) tool. It prevents certain attacks and notifies you of scans, etc. It can also be used to block certain types of attacks from the outside, shut down NetBIOS, etc. It also does a reverse lookup to give you NetBIOS and DNS information on attackers. It also can be set to automatically block sites which are attacking you.

ZoneAlarm Pro scans mail and changes potentially dangerous extensions in attachments. It also blocks attacks from the outside. It has two separate settings for local networks (which you define) and the internet (basically anything else). It controls which programs on your machine can access local or internet as client or server (selectively), which has the helpful side effect of disabling DDOS tools that might have arrived on your system: you will see the attempted access and can stop it. Lastly, when you allow a program to have access, it computes a checksum which makes it unlikely that someone can substitute say SubSeven for ieplore.exe. This can be turned off for selected programs (e.g. Microsoft applications) which will frequently be altered by patches and updates, if you choose.

Between the two, you can lock the machine down pretty tight, but still have all the flexibility you need.