NMAP has a variety of spoofing and IDS evasion options available.  They are very well documented here:

http://nmap.org/book/man-bypass-firewalls-ids.html

In general, if you want to spoof an IP address, you have to have control of that address in order for you to get a reply.  This is just due to the design of the TCP/IP protocol suite.  You don't always care if the spoofed packets come back to you.  Sometimes, you just want to flood the IDS with a bunch of random sources masking the actual port scan.  A really stupid IDS will make it difficult for the operator to detect your port scan.

tturner - why do you need access to the idle host?  I think you just need to have an open tcp port to use for the idle scan to increment the IP ID, but you don't need anything further.  Or did I misunderstand and you meant access as being such?

I mean network access. Meaning you can't target a host behind a NAT'd firewall and use another spoofed host on that same network unless you can directly communicate with it. You absolutely do not need any kind of privileged access.