When you tell to the nokia VNC client to connect to MACHINE:N, it tries to connect to port 5900+N on the specified machine. So, if you put as host your.windows.box.ip:0, it will try to connect to port 5900 of your.windows.box.ip. This connection is "straight" (it does not use the ssh tunnel at all), and it is unencrypted. Moreover, it will be rejected if in the VNC server side you specified the option -localhost (which only allows connections coming from the own windows box).

When you specify the host 127.0.0.1:1 (or localhost:1 which is the same), the VNC client will try to connect with port 5901 of localhos, i.e. of the nokia.

No, it is not that way. The :1 part only specifies that it should connect to the port 5901, instead of the default 5900. The magic is performed by the ssh option -L5901:localhost:5900, which means that ssh is listenint in the port 5901 (and thus it is ssh which receives the VNC client connection), and fowards it to the windows machine, where the connection is again forwaded to "localhost:5900". Note that, at this point, localhost refers to the windows machine, since this second forward happens there. So, finally the connection arrives at port 5900 in the windows machine, where the VNC server is listening.