Software firewall is good for some things but IMO does not touch a hardware ACL on the router for my application. The application permissions model is fine for most things, but what if, as in my situation, you want to block all traffic on port 80/443, and only allow certain exceptions? The application permissions model does not serve this purpose very well. You can elect to block IE (or whatever) from accessing the network or not. Maybe if you have a good firewall, you can employ a whitelist/blacklist of URLS. Then when traffic hits the stack on your desktop your CPU has to make lookups/decisions about the traffic. I want this traffic blocked BEFORE it hits my desktop, especially on my HTPC. I don't want the decision cycle taking up resources on a box like that. Additionally, a windows exploit that never touches a windows system is no threat at all.
Avast is the first application I have run into this problem with-- most solutions use a reverse proxy server or server farm to distribute load rather than doing it via a list of servers like Avast does. So you hit the one URL/IP on your download and it assigns your request to one of it's subsidiary servers. Not sure why they chose the solution they did, but it's my problem to deal with, not theirs.
Scripting, here we come.