Here's a list of my feedback (I spent over a decade as a software tester and now I work as a programming writer, so forgive what might be a bit of overkill.)
1. There is nothing that gives the user a clear view of what to expect. A simple note saying that the calculator is intended to assist the user in determining which shipping option to use and what delivery date to expect for each might help.
2. The icons across the top that show the four different shipping options look like they should be links. They appear to be there to say when things will ship but the name of the tool is "Delivery Date Calculator" not "Shipping Date Calculator" and the information shown under them (like the date things will ship) is repeated when you enter a zip code and click Go anyway. I'd suggest removing them to reduce confusion.
3. I'd rename the column "order until" to be "place order before" and instead of just a time, put in the date and time needed to get the delivery date estimated. I think this will help clarify the fact you must order by (for example) 6:00 PM EST 5/21/2010 in order to get the delivery date in the next column.
4. I'd rename the column "delivery date" to be "estimated delivery date" to further indicate it's an estimate, not a guarantee.
5. If you want to make it more logical, you might consider rewriting it to allow the user to select a delivery date and then use the formula for estimating delivery dates and work backward so you can tell them that if they want to receive their order by (for example) June 1, 2010, they can pick Ground shipping and place their order by May 23, 2010 at 6:00 PM PST or they can pick 2nd day shipping and place their order by May 28, 2010 at 10:00 PM PST, etc. This would be a refactoring, though, so might be something for the future.
6. The field for zip code doesn't report invalid zip codes, it merely says "not available". It will take zip codes where the first 5 digits are valid but if I use Zip + 4 and make up alpha characters for an invalid 4 suffix, it takes the first 5 and doesn't report an invalid zip. You might want to just allow the 5 digits and no more but it's not earth-shaking.
7. I would recommend NOT using "tom." as an abbreviation for tomorrow.
I didn't go through a whole scenario for SQL injection or XSS. I'm pretty sure that's a lot of overkill for what you were looking for.