Helping people with computers... one answer at a time.

Zone Alarm is a popular firewall you install on your machine. If you also have a NAT router you may - or may not - need a firewall such as Zone Alarm.

I have a WinXP Pro PC behind a NAT router and am getting tired of Zone Alarm to the point where I think Zone Alarm is creating more problems than it solves. Some have suggested that I do not need a software firewall as long as I practice safe computing. Do you agree? And can you recommend a different free software firewall solution just to satisfy my paranoia?

As you've seen, there differing opinions on this. In reality it does, indeed, depend on how you use your system and how "safe" your safe computing really is.

It's also important to understand that there are a few things that a software firewall like Zone Alarm can do that NAT routers typically don't.

Let me tell you what I do, and you can draw your own conclusions.

My home network lives behind a NAT router, and my machines at home do not have a firewall installed, other than Windows XP's built-in firewall - which is turned off.

You can easily see which way I lean on this particular issue.

I have a complete suite of security tools in place, including anti-virus, anti-spyware, automatic updates, backups and the like. Both my wife and I religiously practice "safe computing" - we're both good at identifying suspicious attachments, for example, and don't download things that might be dangerous (or if we do, we do so in a very controlled manner).

The result is that over many years we've never experienced virus or significant spyware infection or related issue. That's not to say it won't happen some day, but so far what we have, and do, has proven to be quite adequate.

Note, though, that I said "at home". On occasion I do take my laptop out and connect to other networks - networks such as public hotspots, or networks over which I have no control and very little knowledge. In these cases I enable the Windows firewall.

There are important differences to note between NAT routers and firewalls such as Zone Alarm.

"If you avoid all of the other ways that viruses and spyware can arrive on your system ... then a NAT router will do its part in preventing network based attacks.

A NAT router, for example, can only prevent attempts to access your computer from outside of your LAN. That means that and problems already within your LAN are not abated, or detected, by the router. If you have an infected machine within your LAN behind your router, it can easily infect all the other machines on your LAN. If your machine is infected and connecting to the internet in unexpected ways, a router will detect, or stop it.

That's why the big emphasis on if you practice safe computing. If you avoid all of the other ways that viruses and spyware can arrive on your system (email and web downloads being the worst), then a NAT router will do its part in preventing network based attacks.

A software firewall running on each machine is naturally going to protect against many types of problems regardless of where they come from: other machines on your local network, or the internet. Now, like a NAT router, a software firewall cannot prevent infections from internet downloads and email attachments. However unlike a router, a software firewall can detect, and prevent, certain types of bad behavior - like a virus on your machine attempting to spread to others.

This "outbound" protection is both a blessing and a curse. The most common complaint that I get about Zone Alarm and similar products is that it alerts too often, and for benign and valid access of the internet. That's unfortunate, because when it alerts too often for all these "false positives", people start ignoring the alerts, or turn off the feature completely. When a real problem happens they're unable to distinguish it from the noise, and frequently ignore that as well.

Fortunately, I don't believe that's a terribly common situation, but it is annoying when it happens.

Now given your dislike of Zone Alarm, here's the kicker ... there are many free software firewalls (just search Google for "free firewall") - but the one that seems to fairly consistently bubble to the top of people's recommendations appears to be: Zone Alarm. Since I don't use one myself, I rely on those recommendations instead to guide people - but if you're not happy with Zone Alarm, there are many alternatives to try as well.

But personally, I'm quite happy with my NAT router, the Windows built in firewall as needed ... and a little common sense.

Article C2771 - August 27, 2006 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

August 28, 2006 7:07 AM

If you are looking for a good and free Firewall (the free version has some minor features disabled though), you should try Sunbelt Kerio Personal Firewall.

I used Zone Alarm before, but Kerio offers a better user-experience IMHO.

Also note that, like Zone Alarm, it blocks network access in both directions. The XP-firewall lacks that feature IIRC.

September 1, 2006 6:34 PM


September 2, 2006 2:28 AM

I dont think you do Zone Alarms outbound protection justice. You can disable all information alerts and keep the program alerts. It has alerted me more than once to malware that was trying to phone home. So its a blessing not a curse.

Dr. Phil
September 2, 2006 3:16 AM

If you're getting too many alerts from Zone Alarm, tick the "remember my answer" box before Accepting/Denying. Also, in the ZA Control Centre, "Alerts & Logs", set to OFF (Do not show any informational alerts).

Fred Howard
September 2, 2006 3:30 AM

I love Zone Alarm. It asks you to OK a lot of programs, etc., at first. But after using it awhile, it only has to ask you whether you want to accept or reject files that would otherwise be sent to you from sites without your knowledge that they are being sent.

This is very valuable.

I almost always refuse to accept anything that I am not certain will not hurt my computer. If what I want to view at the site I am visiting will not display because it NEEDED the material that I decided not to accept, I realize what has happened, and I go back to where the spot where the program will resend the needed file or files, and this time I accept them.

Zone Alarm is great and has saved me many major headaches.

Fred Howard

mike yaros
September 3, 2006 5:29 PM

I have zone alarm pro version 4.0123.012. I have certain problems as follows: Whenever a program tries to access the internet, I get an alert asking my prmission. I usually check off a box asking it to remember my answer. Recently it began to "forgret" and ask me for certain programs over and over. Then it got real bad and the whole database erased each reboot. I did a search and on a user forum was told to reboot and delete certain files. Then reinstall the program in safe mode. The reason was that these files were likely corrupted. I did this, and it's a lot better, but I still forgets some, but not all programs. This is liveable, but annoying.

Michael J. Yaros

Ivan Tadej
September 3, 2006 7:31 PM

1. Well as first, regarding the other free firewall alternatives beside Zone Alarm (and beside the mentioned Sunbelt Kerio Personal firewall), I would also recommend trying the Sygate firewall. Oh and btw. I also used Kerio firewall back then for some time, but it was still the old "non-Sunbelt" version.

2. As second, regarding the "outbound protection"; you see, many people argue (especially on Ars Technica forum that I frequently visit/participate on it) that the outbound traffic monitoring firewalls are more or less useless, since once the malware is on your computer you are already owned and that the malware could in turn turn-off your firewall and disable the Windows "Security Center" altogether. If you want to, see the recent "Do we need an outbound traffic monitoring firewall ??" thread: that I opened on CastleCops forum about this.

3. And as third, regarding the Zone Alarm that doesn't remember the setting for a particular program (btw., I don't use the program anymore); in my opinion one of the reasons might be that the program is launched from different locations (for instance TEMP sub-directories), and the other one being the possibility that the "database" was corrupted (as already mentioned by the poster above), which actually doesn't occur so rarely at all in Zone Alarm's case. If I recall correctly the "database" is a common .xml file (or two .xml files) that you need to delete along with logs' folder, and after that reboot to start "fresh".

P.S. -- I would also recommend searching Zonelabs site for older non-bloated versions of Zone Alarm firewall that were certainly more resources-friendly and stable in general !!


best regards,
Ivan Tadej, Slovenija, EU

September 4, 2006 12:48 AM

I learned the hard way that Zone Alarm could NOT be overwritten (address redirected),(by malware, etc.). Norton can. I have nothing but praise for my Zone Alarm free firewall. Sure, it has it's quirks but for a lower level computer user like me, well, It's worth it's weight in gold. VIC

December 13, 2006 2:32 AM

in my co there are 50 comp's all is having win2000 and winxp, the problem is when we access a programm2 from data server it is database programme and all the machine is accessing from the data server and when we access it its running very slow what could be the problem please help me it is urgent.



Mike B
January 6, 2007 12:09 PM

Ask leo is an excellent help.Regarding Zone Alarm, I have been using it for years and have had no problems. I recently went wireless and have a 192..168 address when i look at the DOS prompt as suggested.Ian Gizmo Richards has recently said he is going to change over to Comodo Firewall early 2007. This is a free programme and comes well recommended, a friend of mine who is very particular and a born sceptic recommends it highly as well.I would think that Gizmos recommendation alone should carry a lot of weight, as, like leo, he is ultra well experienced and informed.Hope this helps.

January 27, 2007 4:42 PM

Ask Leo ..... great site. I have a router and i use ZoneAlarm Pro. As my ZA is up for renewal i might well not bother. Trouble is its the paranoia that kicks in. I cant see my hardware firewall so does it really work ? !! I even disabled my ZA and went to and ran the LeakTest ..... guess what .... my firewall was penetrated !! Looks like ZA free might get my vote or maybe Comodo ;)

June 6, 2007 8:39 PM

Hmmm, one thing I don't like about zonealarm is that when I start up Pangya, during that time it shows up the box then my Pangya hangs or can't login at all. Normally i would shut down zonealarm when I'm playing online, save the trouble of restarting my pc again.. -.-;

January 16, 2008 6:32 AM

It's a constant debate whether a router peforming NAT is just enough. From what I've heard and read, a software firewall will add an extra layer of protection, and block outbound traffic, your router is just going to do what comes in. Not what goes out. Overall, reading about firewalls and security I find very interesting. Windows Firewall at least in XP, lacks outbound protection. This is one of the cons of it. I've used ZA, Sygate, and one other firewall and ZA I've found myself coming back time and time again. It's easy to use and configure, and effective. You can get rid of the nagging alerts if you go to the alerts tab and choose off, program alerts will still be displayed. I admit ZA has gotten more bloated. It works well though and I highly recommend it. If your router does SPI, that's extra protection, again--no outbound protection on your router though. ZA free version is very configurable and you can get rid of the nagging alerts if you know how to press the correct buttons.

Leo A. Notenboom
January 20, 2008 4:29 PM

Hash: SHA1

The problem with outbound protection is that when it traps
something real, it's too late - you've got outbound bad
traffic because there's something bad on your machine. If
you don't have malware on your machine, then the outbound
warnings are just so much noise (that often serve to mask
anything valid that might come up anyway).

IMO inbound-only firewalls - particularly NAT routers - are
the way to go.


Version: GnuPG v1.4.7 (MingW32)


January 15, 2009 10:26 AM

I've had nothing but problems using software firewalls such as both the free zone alarm and the pay-for zone alarm pro, norton's firewall, sygate's firewall. I've done lots of port scanning using all those previously mentioned software firewalls and found that 1 or more of my ports were showing up as being closed which is not good. You actually want your ports to be a be stealthed out like a black hole. I use NetGear's WGR614 v7 router alongside those previously mentioned firewalls such as norton and zone alarm and again I say the ports were closed. I had lots of problems with zone alarm and norton. I then removed them and decided to try Windows xp own firewall with my netgear router and found during the port scanning that my ports were now being shown as fully stealthed. I quit having problems using the combination of a netgear router and windows firewall. Scan your ports at

November 25, 2009 12:41 PM

I removed Zonealarm because I thought my router would be all the protection I'd need. I ended up with a virus that e-mailed itself to EVERYONE in my address book, without my knowledge. Zonealarm would have caught this activity right away, and I'd have been able to deal with the infection before it had a chance to harass my contacts.

To this day, the guys at work have nick-named me " VirusBoy "...

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.