Norton's Firewall already includes HIPS, but it can be improved. For example, it can always allow automatically Norton trusted programs. It would also be great if we can customize what to ask for.
I think maybe you can try to make HIPS can block all of the leaktest sample here.
http://www.matousec.com/projects/proactive-security-challenge/results.php
I hope NIS 2011 can get good scores.
Their sample download:
SONAR is tied with the Firewall. SONAR uses various events and information including Insight to make a decision on whether a process is good and should be allowed to access the Internet. So, if I understand what you are describing correctly, this is already in the product.
No, I'm not talking about the internet (I know how Norton controls these events). I was talking about advanced events such as active desktop usage, code injection etc. It will also be a great option to setup Norton to ask only for files that are not Norton Trusted.