The helper libraries seem like they would support a proof of concept effort. Can anyone confirm this? Also, the PassThru sample app looked like the best place to get an idea of starting.
Yes, you can take passthru sample as base for this kind of solution. It transparently filters all incoming and outgoing packets for the specified network interface and has capability to modify them. In general I think you can implement relatively flexible solution on this way.
However, I would solve the concrete problem on a bit easier way. Let’s assume you using NT/2000/XP/2003 type of operating system. It’s not a great problem to create a driver which intercepts NT native API calls. Since creating a process on NT system requires calling a subset of native API (NtCreateFile, NtCreateSection, NtCreateProcess) you can hook one or all of them (there are several ways), check the file/process which is going to start and block/permit the operation basing on user reaction, registry setting, driver loaded settings or etc… On this way you can create a flexible solution for monitoring processes start up on your system. I would even surmise that you could find a ready solution for this approach in the Internet.