The TCP protocol is controlled by a finite state machine implemented in the operating system's networking stack. Being a programmer, the concept of an FSM ought to be at least somewhat familiar.
Forging a TCP RST packet (that is, an IP datagram with a forged source IP address showing as coming from the remote server, containing a TCP segment with the RST bit set and the appropriate SEQ/ACK numbers) is something that anyone along the route from client to server can do to cause a TCP connection to be closed by the receiving operating system. The client receives the packet and the finite state machine "resets" the connection, closing it and preventing further data transfer.
The forged packet is indistinguisible from a "real" TCP RST packet coming from that remote host. Without using a protocol that provides authentication (IPSEC AH or similiar) there's nothing you can do to prevent any intermediate party from creating such forged packets.
Some ISPs are (allegedly?) forging such TCP RST packets to prevent "excessive" utilization of their "pipes" to the Internet by users of applications such as Bittorrent. They use a variety of hardware / software to perform the "deep packet inspection" (see http://en.wikipedia.org/wiki/Sandvine for an example of one vendor of such a "solution") to detect such traffic flows.
There's a lot of politics around the "net neutrality" debate, much of which go far beyond the scpoe of a discussion Server Fault. At the heart, I think, it's just another manifestation of the Netheads versus Bellheads battles that have been raging for years.