NATting firewalls don't help at all with email-delivered malware, browser exploits, etc.
If the firewall is configured to block all outgoing traffic to port 25 servers, then it helps considerably. After all outgoing email should be going to port 587. And if the system designer is creative enough, then this firewall thingy which is reputed to protect you from bad stuff, would also download and install the latest patches to protect against browser exploits. If this is all run on a separate CPU it can also do some pretty in-depth inspection and do things like block .exe attachements in email. None of this is rocket science. The hardware available today can do this. This hardware is not expensive. It does, however, require systems vendors to have a bit of imagination and that seems to be in rather short supply in the modern world. --Michael Dillon