As a follow-up to my earlier post I have now looked at the proposed option 2 Run a script to automatically configure the IPSec filters. The provided script seems to do a pretty good job of blocking WINS replication traffic only - and have the option of specifying your replication partners as exceptions. Unfortunately the script does not take the current replication partner(s) (which are obtainable with netsh wins show partner) automatically nor does it allow you to specify multiple servers at a time - but the script can be called several times. For further details see the embedded readme file.
If you do not have an existing IPSec policy, I recommend that you deploy this method right away. The easist deployment may be to do it with psexec or modify the script as ipseccmd.exe can take a server name as the first argument.