Metronet, where are you (and your software) when the world needs you?
Small but perfectly formed pioneering UK PAYG ISP Metronet used to do most of the good stuff being suggested here, till a bigger ISP bought them out and (presumably) abandoned the Metronet-unique stuff.
They had ISP-level detection of the signatures of common malware, and a "walled garden" until it was fixed (can't remember the exact details, who cares).
They also had an ISP-based firewall which punters could enable or not as required, and once enabled they could configure it as required. IIRC it had simple mode (pick from "no ports open", "block privileged ports", "commonly abused ports blocked", "all ports open") and geek mode ( a list). In fact the details are still at
http://www.metronet.co.uk/support/security/firewall.shtml
IIRC the firewall was part of the same system which also provided an optional ISP-based proxy which also served as a configurable content filter (adult or not, etc) and configurable ad blocker.
All based on COTS hardware and free software too, iirc. Not a Juniper or Redback or Cisco etc to be seen. Fabulous.
"Keep your computer safe and secure with Metonet's built-in firewall system" (sic)
Tryping wasn't always their strongest point, but who cared anyway.
Not an employee or associate, but a very happy customer at the time. Let's raise a glass or five to the memory of Metronet, and question why the big boys can't be 1% as creative and instead choose to bring us dross like Phorm (have they burnt all of their most recent finance round yet?)