Mark Wilson enjoyed a TechNet event so much he wrote an article all about it!
Most firewalls only inspect the packet header of each piece of traffic and ignore the payload itself. As Mark explains traffic that's destined for port 80 may not necessarily be HTTP and yet most firewalls assume this to be the case. Many people regard port 80 as the Universal Firewall Bypass port as it's normally open for inbound traffic and generally pretty much any traffic can be passed through it!
Microsoft's Enterprise Firewall - ISA Server inspects both the header and payload of each packet and assures that traffic headed to the webserver is actually RFC compliant HTTP thereby cutting out a whole class of attack vector.
You can read Mark's article here