Online Extra: Sounding the ZoneAlarm

A how-to guide to setting up a ZoneAlarm firewall for your home or small-business network

The Internet Connection Firewall (ICF) built into Windows XP will protect your computer from Blaster and similar worms. The problem is: You really need a firewall on every computer on your network, and any computer protected by ICF becomes inaccessible to other machines on the network. So if you have a printer attached to computer A or MP3 music stored on its hard drive, you would not be able to send output to that printer or listen to the music from computer B. This defeats a lot of the reasons for having a network.

The free version of ZoneAlarm from ZoneLabs solves the problem (and premium versions offer additional features for a price). The difficulty here is that you're going to have to work with a program that's somewhat forbidding and get a little ways into the guts of networking. I'll try to help make this as painless as possible. I'd like to thank Fred Felman of ZoneLabs for his assistance.

MARKING A TRUSTED AREA. The goal here is to divide the world into two pieces, the dangerous Internet and the somewhat safer local network that will be set up, in the language of ZoneAlarm, as a "trusted" network. This means there will still be barriers between computers on the local network, but they'll be lower than the wall that seals you off from the Internet.

To set up a trusted zone, you must first download and install ZoneAlarm. Next, you need to find out your range of IP addresses (an IP address is a set of four three-digit numbers, separated by dots used on your local network.) The illustration shows what the information looks like when the configuration screen for a Linksys router is viewed in Internet Explorer. Most other routers use a very similar setup -- check your router manual or the router manufacturer's Web site.

In this case, the local network consists of two devices ("DCHP users") with addresses and If you use Microsoft's Internet Connection Sharing instead of a router (a setup I do not recommend), your local network address will always start at

ZoneAlarm Setup 1

Make a note of the addresses used by your local network.

Once this is done, put your home network into a Trusted Zone. The picture below shows ZoneAlarm Pro, but the free version is nearly identical. First, you select Firewall from the menu on the left, then choose the Zones tab.

ZoneAlarm Setup 2

Click on the Add button to create a new trusted zone.

Choose Trusted from the Zone drop down box. Then type the starting and ending addresses of your local network. The description is optional. Click OK.

Now comes the part that's a little tricky and annoying. Once ZoneAlarm (or another firewall) is installed, windows will begin popping up from programs requesting permission to access the Internet. Some will be obvious -- you'll want your e-mail program and browser to have Internet access. Some will be obscure. For example, the Spooler Subsystem App is the component of Windows that allows printer sharing and it needs Trusted Zone access. A certain amount of trial and error is needed. In general, if a program requests access and you don't know what it is, deny it and see what, if anything, breaks.

Some programs will also ask for a more powerful form of access called server access. One Windows component, called the Generic Host for Win32 Services, is particularly insistent, but it can operate just fine -- and a lot more safely -- with regular access. The screen below shows recommended setting for some common applications.

ZoneAlarm Setup 4

The good news is that the annoying permission pop-ups usually last only a couple of days. By then, you'll have used your common programs and adjusted their settings. You'll still occasionally see a request from a rarely used program, and you'll have to deal with these one at a time.

    Before it's here, it's on the Bloomberg Terminal.