Here's the situation, my network has a Cisco 1811 router. This network is going to be mostly used for remote field operators to VPN into the system (via SSL vpn) and once they have established a VPN cnnection they will use a remote desktop protocol (VNC) to remote into a computer where they can access a porgram that was custom built for thier work. The workers and management are concerned about the field operators getting a virus on thier computer and it spreading to the main computer. The main computer dosen't have any antivirus programs on it as those tend to conflict with the custom built program. So they want a firewall on the internal network that will have all the ports blocked except a few non standard ports for the remote desktop program. That way if the field operators do get a virus then they won't spread it to the main computer once they are inside the VPN.
CBAC is quite simple.
You define a set of protocols you want to inspect and apply it on an interface (best practive - outbound on the WAN interface)
ZBF is much more powerful but MUCH more complicated: