Unfortuantely there are enough protocols and applications which don't work well behind a NAT that deploying this on a large scale is not practical.
It already is deployed upon a large scale. When I had @Home in Seattle (one of the first subscribers), I had a 10.x address. Here in Costa Rica, broadband (cable modem) connections for the entire country are behind NAT.
Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation?
I use IPSEC and it works fine behind NAT.
Unfortunately something like this would make the PC close to useless which is not the intent of the software provider. Thus you see everything open, security be damned.
No. You default open the common and popular internet ports for outbound, and 90% of users never use anything else.
As for plug-in "workgroup" networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC.
And joe user will understand this because.....
That's the point, he doesn't have to. A "workgroup" becomes a name + a key/phassphrase instead of just a name. What that accomplishes is completely hidden. Adam