Anyone have a favorite personal firewall for Winboxen? For those that do, what must-have custom settings do you apply to them?

Kerio Personal Firewall.

Some personal settings:
Set UMR's junk to Trusted (131.151.*)
Predefined Network Security:
1st is trusted, 2nd is internet
Internet Group Managment Protocol: X X
Ping and TraceRt In: √ X
Ping and TraceRt Out: √ √
Outer ICMP packets: √ X
Dynamic Host Configuration Protocol: √ √
Domain Name System: √ √
Virtual Private Network √ √
Broadcasts: √ X

You could argue DHCP on internet to be X, and possibly VPN to be all X.
I suppose if you don't even want inbound pings you could disable inbound ones too. Don't disable outbound. Especially don't disable DHCP (you get your IP that way on non-dialup) or Domain name system (DNS).

You can otherwise set each application as you please for IN/OUT Trusted and IN/OUT Internet to whatever you'd like. And of course because about blocking certain things. There's 1 or 2 windows applications that do DHCP and DNS which you do NOT want to block.

I highly recommend looking into MonoWall.
It is FreeBSD based and is "commercially usable".
I helped install a few for an ISP I contract for.
It has rate limiting and everything... not that you need that.
The only down side is that there could be a learning curve.