Try running
GRC's Shields Up and compare the built-in sp2 firewall and ZA for yourself. Come out from behind the router/hardware firewall first.
I get a perfect "Passed True Stealth" rating with Zone Alarm Pro v5.1, it passed both solicited TCP packets, unsolicited packets tests and the ping reply test...it doesn't "exist" on the internet.
I get a "Failed True Stealth Analysis" with the sp2 firewall, it passed the solicited TCP packets test, but failed the unsolicited packets and ping reply tests.
I'm sticking with ZA, having to check "yes" to let a half dozen or so programs access the internet one time is not a big deal and when I forget to turn off auto update on something ZA lets me know so that I can. I want the outbound peace of mind that I'm in control of the machine and the assurance that I'm adequately protected inbound.
The Windows firewall is convenient for the novice that might not buy a software firewall and therefore, better than his not having one, for everybody.