I mentioned before that it doesn't really make much sense with web hosting because the port can easily be changed so it's not very effective
at all.
Stop thinking of policing the user and start thinking of providing a security service. The default setting of the security service might include a block on port 80 inbound, but if the user needs to enable this traffic, give them a web form that they can use to reconfigure their settings. Or, if you can't handle such a variety of individual ACLs on your equipment, give them the option of buying a broadband router with a recommended default config and un-blocked service. If the user has to intervene in order to enable a server type application to function, that makes it a lot harder for trojan exploits to take hold. --Michael Dillon