In terms of what I want in a firewall, my XP box runs Kerio with a complete deny-by-default approach. Every application that wants to listen from the Internet has to have permission, every application that wants to connect out to the Internet has to have permission (I use it to stop a handful of apps from phoning home). I hardly notice it's there now that it's trained, but that's pretty much what I want. When a new application comes up then I check the remember box, pick Allow or Deny and it's all sorted.

I've been trying to do the same with Windows Firewall in Vista. It bites.

Enabling outbound control is easy enough -- Administrative Tools | Windows Firewall With Advanced Security, and a couple of clicks from there. Done.

Okay, now IE can't connect out. That's pretty much what I expected. Why didn't I get a prompt about it?

Oh, you only get prompted about incoming connections. Blocked outbound connections just silently fail. No way to get outbound prompts.

Alright, so I'll turn on the firewall log and see what's getting blocked. Not quite as one-click as Kerio, but I can still make this work.

Except the firewall log is a pain to get to (you need to be elevated just to read it), and only includes port numbers and IP addresses, not process names.

So allowing a program out through the firewall is now down to this:
Work out that a program's failure actually is due to the firewall.
Use a combination of Task Manager and Windows Explorer to try and work out which process is actually responsible for the connection. This is fun with virus scanners etc -- the process which tries to download the updates isn't generally the UI you launch an update from.
Open Windows Firewall With Advanced Security and create a new outbound rule. Probably about 10-15 clicks here, plus having to know the full path to the executable you want to allow out.
See if it worked, and repeat the process if it didn't (ie you picked the wrong process to let out).
I see Kerio in my future again...