According to a knowledgebase article Microsoft released last week (#886185), a flaw in the way the firewall interprets network scopes results in the Internet being considered a local network (The "My network" subnet). This happens when the Windows dial-up adapter is used to make the Internet connection, which can be the case with both modem and broadband Internet services. In particular, PPP-over-Ethernet connections, favored by some cable and DSL providers, often use this approach.

Microsoft has a fix available.

If an XP user opens printer and/or file sharing to his local network (not uncommon), the same services then become accessible via the Internet. Microsoft says this is not a bug, but rather "a configuration setting that shipped with Windows XP that was not optimal, but that is not classified as a security vulnerability," (Gary Schare, Windows director of product management, in a copyrighted Network World story). You can hear the weasels being tortured in every word.

Dr. I. Doctor always recommends a hardware firewall, even at home, as the primary security for a network. Software firewalls built on general purpose operating systems like Windows are just too unreliable to count on as your first line of defense. A hardware firewall, consisting of purpose-built software running on a dedicated network appliance, has a much lower probability of catastrophic bugs like this one. And you can buy very good name-brand firewalls for as little as $50, so cost is no excuse.

Microsoft's KB bulletin on the problem:

http://support.microsoft.com/kb/886185

The downloadble hot fix:

http://www.microsoft.com/downloads/details.aspx?familyid=da66a0ac-55ca-4591-b3e6-d78695899141&displaylang=en