Should Windows webservers have a hardware firewall?
Solution 1:
If you have only a single server, then I think it's OK to rely on the built-in software firewall if you know what you are doing.
However, when you have 2, 3, 4 ... 10 servers, this becomes rather complex to manage, and you're better off with a hardware firewall you can manage in one place instead.
(you'll still want software and hardware firewalls for the whole "defense in depth" theory, though, so you can't get out of running the software firewalls on each server in any case. In my experience, Windows Server 2008 and beyond have excellent software firewalls and we used them exclusively on Stack Overflow for 2 years.)
Solution 2:
Obviously "professional-grade" isn't an official term with definite properties, but if we assume it to generally mean the best-case configuration, then yes, a hardware firewall is preferred in my experience. While hardware and software firewalls can theoretically perform the same functions, a hardware firewall allows you to offload that work to a dedicated device. "Professional-grade" firewalls also have features that most software firewalls do not, and allow for much more advanced management. Also, any "professional-grade" configuration will generally include strong vendor support, which is generally superior for hardware firewalls.
Edited to add: More specifically, it runs on dedicated hardware, so it doesn't rob performance from your boxes. It sets at the border of your network, so that you have the "vault door" approach that @jowqwerty noted. It provides centralized management of firewall rules, NAT translations, etc for multiple servers. It may allow more advanced NAT/PAT configurations or other options than a typical software firewall. It typically has stronger professional vendor support.
Solution 3:
"Hardware" firewalls are just dedicated devices running firewall software. They aren't actually implemented solely in hardware. That said, most hardware firewalls are thoroughly bulletproofed against script-kiddies, malware, and various exploits that might exist in a full Windows PC. For high value sites I would never trust Windows Software to be secure enough on it's own.