Up until recently I had disabled SVCHOST.exe from accessing the Net. Since Windows Update v5 I have had to allow SVCHOST.EXE access to the internet. Specifically it wants to connect TCP outbound to destination ports 80 and 443, and TCP inbound on source ports 80 and 443. I've put together two rules (one for inbound and one for outbound) with a further block all rule after this, but I fear this is still allowing too much.. Ideally I would like to limit access to specific IP addresses for windows update as well. A lofty goal, but perhaps some kind soul has already done the grunt work?