Interesting dilemma, I don't know if this is possible.

Topology
(corp hq)----{internet}-----[VPN router]-----(windows XP box)

IPSec VPN tunnel is up between remote VPN router and corp HQ.  Windows machine is directly connected to the internal side of the router, but no default gateway is set.

I can SSH into the router and ping the windows box, but cannot ping the windows box directly.

Is there a way to set the gateway FROM the router since that's the only way I can communicate to it?  The alternative is flying to the remote site and setting the gateway.  Ouch.

Any help would be appreciated.  I have tried a few things without success (for example, enable NAT on the router to do translation; does NOT work because the order NAT is applied versus the VPN tunnel).

Hacks are welcome as long as the remote site is recoverable afterward! 

No worries, consider this to be a generic remote office setup.  Windows XP box sitting behind a Cisco router, running the most up to date Cisco IOS 15.X.  Users use the system locally as a standalone box.  VPN is for remote training, troubleshooting, administration, updates, etc.  In this case the installer forgot to set that one little setting.....default gw.

You are correct in your understanding, so you know what my problem is.  No gateway = no routing.  One way traffic is fine, but the responses never come back.  I can get to the server from the router itself, as you say.

There is only one box, so, correct.

No ssh or telnet, but windows file sharing is on.  I was thinking port forwarding, but i think the problem with the gateway still persists since the source addr is not changed, or am I wrong?

Yeah but you'd still need a bind shell listening on that problem XP box. Is there any human being sitting at this PC? If so, I'd just send a bind shell on a usb drive, or better yet, a netsh command in a batch file and have them open it or setup an autorun script (assuming they dont have that patched).

If you can get a bind shell on that box you could use that IOScat to interface with the PC.

He has no way to get a remote command shell on the box though, that's the problem.

As you can probably tell, it really irks me that such a simple thing is getting in my way.  I keep telling myself there MUST BE A WAY.  It's just networking.  I have Cisco IOS, I have admin credentials for the box at the other end, just no way to get a TCP connection because return traffic is being dropped.

Pretty much where we're at. Those damn humans keep getting in the way of productivity.