Well for starters a program can turn DEP off on its own with a simple call. Creating addressable space (VirtualAlloc() et al) shouldn't be caught by a HIPS, programs do this all the time. I doubt a HIPS would catch any of this until maybe somewhere later in the exploit ie: the payload. Virtualization of the registry isn't important until you have your payload. Sandboxie with full virtualization would protect you from most exploits barring kernel level/ sandboxie exploits. And since this is XP and it can gain Admin I don't see why it couldn't just turn everything off (unless it's in Sandboxie.) I do hope it's purely the OS that's not being updated and that plugins like Flash are. I also don't see how default-deny can stop a payload if you launch it from, say, Flash, which will have already disabled defenses like DEP and can read/write to (now) executable memory. But that's becuase I'm not sure how default-deny actually ensures denial.