Hmm, I don't believe so. I think once you add:
> isakmp enable outside
into your config then that makes the PIX listen on port 500 for incoming connections, overriding the ACL on the outside. Unless the incoming connection has a valid "isakmp key address x.x.x.x ......" command associated with it though, the PIX will not respond to tunnel requests.
How are you determining that "it's easy to find out what type of device it is by querying port 500", since unless you send a valid ISAKMP packet thru from a valid address with a valid key I didn't think you could tell anything. Just port scanning won't tell you anything unless I'm mistaken. I just port-scanned my PIX and it does show port 500 open, but there's no other information than that.