If a computer on the inside initiates a STUN session, does that
suggest it has been compromised?

If I'm running SPI (ip inspect myfw out) on my router with PAT (ip nat
inside source list 101 interface FastEthernet0/0 overload), will that
block incoming packets that target the NATed host's global IP address
and port?

Does SPI require a correct match of sequence number for reply packets
or simply IP address and port number?
IOS: C2600-IK9O3S-M, Version 12.3(26)