I run ZoneAlarm Pro behind a NAT firewall (router). Just looked at the stats on the firewall, and even behind the router, it has detected and blocked 189 inbound attempts. Yes, you need the additional protection.
How good is the SP2 firewall, don't know, as I turned if off because it does not provide the same level of outbound and idenity protection as ZoneAlarm. (ZoneAlarm will block specific information you setup (name, email, phone #, address, etc.) to any site unless you specifically allow that info to be sent to that specific site.
When this feature was added, I was amazed to see how many times during routine surfing that my email and other info was being sent to sites without my knowledge.