Heh, well the networking stack in Vista is completely new, for better or worse. As for:
now they've been changed — they weren't poorly coded, as you assert, but relied upon the OS to be sane about outgoing connection attempts
Well, they were
poorly coded for SP2
. It's not like they couldn't have been fixed 6 months before the first version of SP2 was released, since there were developer betas available for free ages before. "Sane" is a relative term, though, there's several things inhibited by any operating system, just because of potential for abuse. I think that the whole "zombie" thing just went too far, and some way out had to be found.
If one can code around it for the functional uses, can these workarounds be used for the same attacks as the change was designed to fix? If not, it seems like a reasonable change to me.
Windows' biggest problem with its TCP/IP stack is that it's (shock, horror) standards-compliant. The standards have several large flaws, which impede the amount of data that can cross a TCP/IP connection (if you see a Linux machine beating records for server speed and so on, hacking the TCP/IP stack is commonly how it is done). Vista allegedly has a way around it without breaking the standards, but I believe it only works if both endpoints are running Vista. The documentation on it is well worth a read though, it's high class work. It's called CTCP (Compound maybe?) if I remember.
MS's security people, with the stuff in SP2, did seem to be attempting to get around the problems in their current setup as best they could, without breaking too much stuff. There aren't all that many non-malicious programs which frantically create outgoing TCP connections (BitTorrent, as you'll well know, is a hugely atypical protocol, and although BT is a lot of traffic on the internet, it's not nearly so many users inconvenienced on a percentage basis), and there's a hell of a lot of malicious ones. They seem to be going down the classic UNIX road of "functionality before correctness" these days, which may or may not work.
I've not directly played with networking in Vista (if there's one thing I find disinteresting, it's networking), however, so I can't say I know how it actually all goes together and stuff.