Guys,
Thanks for all the good info.
I understand about services using ports and shutting down non-essential services closes those ports. We are protected from world by hardware FW. My concern is more toward the inevitable attack from within launched through malicious code from visited website or email attachment. My organization will not forbid 'surfing' and several users (including top management) routinely check their personal hotmail, yahoo, and other email accounts. Several users have installed my searchbar and similar utilities. One 'top level' user has left personl messenger app running on taskbar when away from desk. Mine is not an easy job here.
I have been checking several FW tools and am certain they provide the protection we need, but am also sure they would drive my users nuts to the point they would create a rule to allow what I am trying to prevent.
Case in point: I am using my home network to check out the FW products. KERIOS took no less than 7 clicks to access this thread from the link in an Outlook message so I could post this reply. Then the forum would not load. I had to disable FW to get here.
I think a parallel, and precursor course of action will be to educate all my users about the potential for attacks from seemingly innocent sources.

Luckily I did a cut and past of this post. Having re-enabled the FW while creating the reply, the FW tried to block when I submitted. Had to disable FW, revisit the formum from link, reply, paste, etc. ad nauseum. I can see why my users would try to circumvent the FW. FW is saying access on 2 different UDP ports. Is this because I am using a broadband connection shared through my other XP machine?