Hi big M ,
I like the HIPS system, I like to be able to vet TCP/IP sessions to prevent apps from dialling out.
One feature I have noticed on a few software firewalls is a "resolve" button near the destination IP address listing.
This would do a reverse lookup on an IP address and possibly a whois to determine who and (where?) exactly this remote host is.
This is a quick way to determine where some svchost.exe or NTOSKRNL.exe binary is talking to:
error-reporting.Microsoft.com (updates, etc OK)
dynamic3jds3dsllgr.BulletProof-MALwareHost.cn (DANGER WILL ROBINSON )
Might be a useful feature to introduce? Maybe could be disabled by policy for corp lans without external DNS, etc