you'll have to keep some ports open for it to carry out normal operation. The 3rd party firewall, on the other hand, stays in front of Win2k's TCP/IP stack, so it can close those ports from outside while allows those ports open from inside to keep Win2k happy.
For the DNS proxy thing, I would assume it's a cache DNS server that may forward request to the ISP's DNS server. If ISP's DNS server is not available, it still can operate on its own. Since it's a canned configuration which means the user does not have to change anything, it'd better be a cache DNS server. Otherwise, if the ISP's DNS server is not available, the user wouldn't be able to get on to the Internet.
Anyways, that's just my thought and it could be wrong.
For the DNS proxy thing, I would assume it's a cache DNS server that may forward request to the ISP's DNS server. If ISP's DNS server is not available, it still can operate on its own. Since it's a canned configuration which means the user does not have to change anything, it'd better be a cache DNS server. Otherwise, if the ISP's DNS server is not available, the user wouldn't be able to get on to the Internet.
Anyways, that's just my thought and it could be wrong.