Well Sasza,
I too have some thoughts on your questions. In this respect I think it has not much to do with the interaction between AV and FW, but it has more to do with MS "by design".
This is information with one point of view in mind andalso a bit biased, but it leads you in this respect into a good direction. By design Microsoft Windows XP is fragmented, where MRU's are concerned, the registry is hierarchal but the information is all over the place, an extensive amount of MRU's have been altered to an ":unreadable" format for 99% of the users. So remind hierarchal, but fragmented/ Swap file keeps ghost images generated . Raw sockets access also bypasses every home firewall from the old Sygate to ZoneAlarm. The reason is that these application rely on the Windows message/event handling and MS designed the raw sockets not to report to this layer. Install for instance a TCP/IP packet crafter on WinXP SP2 to see this function in action.
Index.dat contents also include deleted files, temporary internet files. Without extreme reconfiguration of Windows end users will not see the real files, instead a generated representation drawn from this file called index.dat Registry security is mainly the end users responsibility. An ini file would be a better solution, simpler and better security wise. Furthermore a growing registry slows the system considerably.
Know the (hidden) workings of your windows OS and the design of it, and you can answer some questions better.
greets,
polonus
