Understanding an attempt to exploit a webserver
This seems to be useless since the output will be printed to stdout and not returned as a server response?
It depends on the vulnerability being exploited. Sometimes, an attacker can determine if a system is vulnerable to an attack based on the HTTP status code or the time it takes for the response to be returned. If the attacker can send an attack and learn that the system is vulnerable, they may send follow up attacks but if it didn't work, move on to try a different exploit.
There is no technical reason why a server couldn't process GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 as executing the cmd.exe file and passing '/c dir' as arguments, capturing the output and sending it as a response to the user. It all depends on the design of the server that is being interacted with. In hindsight, this design is silly, as it allows attackers to take advantage of a system, but in the early years of the web, allowing this kind of access could have been desirable.
Also, why is it even possible to request files outside of the www directory? Should this not be forbidden per default?
Web servers are complicated and engineers make mistakes. Keep in mind that this type of attack is characteristic of the web in its infancy.
What are the user privileges such an attacker has when he issues those commands in a self created shell? I guess the privileges of the running server.
If an attacker could leverage such an exploit, it is probable that the attacker would get the privilege of the running server. But, the execution is going to happen according to however the program was written. Its also possible that the server could lower privileges before passing off the execution. That's not likely, but the point is that it always depends on the context of the system being exploited.
Could a firewall prevent this attack and if not, are there other measures which could have prevented this?
Yes and no. Firewall is a bit of an oversubscribed term, so some firewalls will have this capability and others will not. Some firewalls only focus on network traffic in the sense of source IP:port, destination ip:port, and don't look at the actual message being sent. Other firewalls include an Intrusion Prevention System or IPS. This is an application that compares the traffic to signatures of known bad traffic. So if the firewall has an IPS, and there is a rule for this traffic, it would be blocked.