If one were to compare an IDS with a "leak proof" software firewall, on its simplest level the IDS is a blacklist while the leak proof firewall is a white list. As usual the devil is in the details. Because there are many possible ways to impersonate or use a white listed application to contact the internet, some of the new firewalls have HIPS built in to deal with these possibilities. There are many pop ups and a training period that never completely ends. It may be OK for a hobbyist who likes to test new firewalls, but it is not secretary proof. There are other issues, but the main one is too much responsibility is on the user who might make a mistake. The IDS is more like an AV. The difference is it looks for certain communication patterns that are consistent with malware operating. The detection is more behavioral and generic than that of an AV because it is much easier to change the package of the malware to avoid signature detection than it is to change its mode of communication. Of course the target must be in the IDS database. Note that either method involves post infection detection so that either might be defeated by malware that disables the firewall, sends "allow" messages or installs a communications driver to bypass the firewall. I prefer to not have to rely on the user to train the firewall, so I think IDS is a better idea. There are a few firewalls with IDS built in. The Sygate derived Symantec Endpoint Protection comes to mind. Avast AV has a lightweight IDS built in. There are stand alone Linux based IDS systems like Snort. Perhaps some of you know of other IDS programs that run on windows. Any thoughts on this, anyone?