I'm not an expert at anything so simply speaking from my own opinion.
I'm guessing there are standard port blocks ISP's use to block out known channels of exploit. With my ISP I do have the option to disable this but I have no reason to.
Don't get confused with DNS contact with the ISP, of which I was once upon a time paranoid about until I spoke to support.
I have no issues about my ISP, after all they prioritize customer privacy and even won a court case against the anti-p2p campaigners.
Router NAT I think is standard & should be allowedj for basic security. However there does exist some routers on the market which don't possess UPnP or even port forwarding which does not give you much choice.
Apparently some routers these days have either or both SPI and Content Filtering. Content filtering would be best done on a specific computer, not the entire home network so I dislike that option. SPI I know very little about. But SPI can be exploited by hackers in any case so it's not an ideal system. I would have doubts about using SPI because it could quite easily clash with p2p file-sharing.
Being predominantly a Mac user, my thoughts on security are probably lesser than the average person. However I do utilize a 3rd party tool. I also keep the system firewall on.
Some 3rd party Windows firewalls are not designed to cater for p2p file-sharing. I recall giving BearShare the maximum permissions on one of these and BearShare still detected it was being firewalled by this particular firewall.
DMZ is potentially dangerous IMHO.