ZoneAlarm and ZoneAlarm Pro both allow you to restrict network access for inbound and outbound connections on an application by application level. ZoneAlarm Pro allows you to further restrict access based on source and destination IP address/range and port being used. This document details the application based firewall and demonstrates proper configuration for ZoneAlarm and ZoneAlarm Pro to allow Internet Explorer and Netscape Navigator to work with NetSafe/NetSafe Plus.

If locked, like below. Access to and from the Internet is disabled and NetSafe will not function.

For NetSafe to work, ZoneAlarm and ZoneAlarm Pro need to be unlocked, shown below.

Program Control

This section allows you to grant, deny or prompt for permission for an application attempting to access the Internet. Screenshots from ZoneAlarm and ZoneAlarm Pro shown below. For the rest of the documentation we will be using ZoneAlarm Pro for screenshots. All features and operations discussed are the same for both versions.

Column Definitions:
· Active - Is the application currently running
· Programs - Name of application
· Access - Is this application allowed to access other systems in the Trusted or Internet Zones
· Server - Are other systems from the Trusted or Internet Zones allowed to connect to this application

When an application is launched that does not have an entry in Program Control,
a box similar to the one below will appear.

Options:
1. Yes - Access will be allowed for the application specified
2. No - Access will not be allowed for the application specified.

*NOTE: If the check box for 'Remember this answer the next time I use this program.' is left unchecked, this prompt will be displayed every time the application is started anew. If the check box is checked, the option chosen will be remembered as the default for that application in the future.

Below you will see two examples of Program Control with entries for two applications.

The first displays an application, 'Internet Explorer', that has been allowed access without checking the check box and an application, 'Netscape', that has been denied access without checking the checkbox.

*Note: A question mark indicates that the application will request access each time the application is run.

The second displays an application, 'Internet Explorer', that has been allowed access with checking the check box and an application, 'Netscape', that has been denied access with checking the checkbox.

*Note: A checkmark indicates that the application will be granted access without prompting for permission. An X indicates that the application will be denied access without prompting for permission.

Program Control should have at least the following entries for Internet Explorer and Netscape to work.

*Note: Minimal entries and settings for Internet Explorer, Netscape and NetSafe/NetSafe+ interoperability.

Any settings for an application entry can be changed by clicking the icon that identifies the current setting and selecting a new option from the popdown menu, as shown below.

Internet Explorer Considerations

Internet Explorer requires access for svchost.exe, besides itself, for it to function properly.

'svchost.exe' (Generic Host Process for Win32 Services) - Provides DHCP and DNS Services. If svchost.exe is not granted permission to access the Internet by ZoneAlarm, Internet Explorer will not be able to resolve host names. Error sample and ZoneAlarm prompt shown below:

*Note: Error displayed when svchost.exe is not allowed access and Internet
Explorer is unable to resolve host names.

*Note: Prompt shown when svchost.exe attempts to access
the network.