Helping people with computers... one answer at a time.

Internet Connection Sharing allows you to share the internet connection of one computer among several others. There are risks if not set up properly.

I use internet connection sharing, and have my network set up as follows:

  • DSL Internet Connection connected to PC "A" through USB modem.

  • PC "A" shares its internet connection

  • PC "B" is connected directly to PC "A" and uses that shared internet connection.

I was using an old ICQ account on PC "B" when someone I didn't know popped in and started telling me about stuff on my PC "A".

Of course I did my best to catch the spot from where he got through but couldn't find a thing. I tried to scan for viruses or trojans and examined my PC for security holes using an internet service but again nothing. How could he do it? And how can I protect myself?

Your PC "A" is acting like a firewall to PC "B", so PC "B" is protected, but from what you describe PC "A" is sitting naked on the internet.

This is not good.

Get behind a firewall. Now.

This isn't the result of a hack or a virus or anything like that. It's due to the way you have your network configured.

Forget machine "B" for a moment; your machine "A" is connected directly to the internet without protection. No matter what else you're doing, it's potentially vulnerable to all sorts of intrusions, as you've seen. That's why I so strongly recommend that you always put yourself behind a firewall when you connect a machine to the internet.

The firewall can be hardware or software. Get behind a router that does NAT, or install a software firewall, or even just turn on the Windows Firewall on machine "A". The differences between those approaches pale compared with having no firewall at all.

Now, why when you were using PC "B" for your conversation was PC "A" the one your friend could see?

"But just because one PC can act as a firewall to protect others doesn't mean it's automatically also protecting itself; it's not."

Because PC "A" was itself acting like a firewall.

When internet connection sharing is enabled, it performs NAT or Network Address Translation just like routers do. As a result, all the computers that share that internet connection are hidden behind that firewall. The only thing visible from the internet is that firewall, or in this case, PC "A".

But just because one PC can act as a firewall to protect others doesn't mean it's automatically also protecting itself; it's not. So while PC "B" is appropriately and importantly protected by PC "A" acting as a firewall, PC "A" itself is unprotected.

My recommendation, for simplicity's sake, is simply to get a broadband router. Connect that to your modem, let it be your firewall, and then connect your two PC's to the router.

Article C2983 - April 3, 2007 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

1 Comment
April 3, 2007 11:16 PM

Some of us with older broadband connections (mine is an older Hughes/Direcway satellite connection, DW4000) don't have the router option as the ONLY connection option is USB and software on the host computer for it all to run right. So I HAVE to run ICS without benefit of a router firewall in front of it all (as I don't have a spare machine that could have no other duties besides running the satellite connection and passing it on to a router).

But some firewalls (and I don't have experience with many, so PLEASE don't take this as a recommendation) are set up for ICS - I'm using the not-free version 7 of Zone Alarm Security Suite which has an ICS protection option - I hate that it slows my boot time unbearably but it does seem to be doing a good job of protecting both my computer (the host) and my kid's (the client) from incoming annoyances (100% from Shields Up for both computers) but, since it is not installed on hers, doesn't take care of outgoing concerns from her machine, I am still working on that as I don't want to burden her older, slower computer with the bloat of the full-blown ZASS 7.

So there are options...a good firewall on the host computer may be fine for incoming attacks for all machines on a local network but it seems that software on each individual machine is needed to deal with possible outgoing issues...


Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.