Sorry, but you're wrong... A trojan works like the "Trojan Horse." Once it's inside your NAT router, it connects to the outside from within your network. The only way to block it is by knowing what port the trojan will use, and then blocking that port at the router. Most people who will buy a HW firewall (i.e. not businesses) will use the plug and play features, never really configuring the device.
Mark
In any case, you could solve this one by only allowing specific outbound ports, typically 20, 80, 110, and 119.
As for the ignorant masses who buy a router without knowing how to use it, I urge them to learn. Get the O'Reilly TCP/IP book and work through the examples on a Linux or Sun box.