WinXPSp2 Firewall & ZoneAlarm

[Guest]

Both computers are WinXPSP2 on a wired D-Link DI 604 router & cable modem.
On computer #1, using ZoneAlarm 5.5 (free)it seems fine to
be able to share files etc. However, computer #2 which is using the WinXPSP2
Firewall they will not share files expect for the printer. I do not know
where in WinXpSP2 Firewall to put required info so #2 can share with #1. If
ZA is shutdown it shares files. Turned on, ZA blocks #2 from reading my
files. I put in #2s Address/Sites & Trusted. I'm not familiar with WinXPSP2
Advance Service Settings and where I find the Ports numbers to connect #2 to
find #1 computer? Do I need TCP or UDF? Internal or External or both? ZA
Alert "Protected" Showed me it blocked me from #2s IP & (TCP Port 1086)[TCP
Flags: S] More Info was even more confusing. So, now I'm totally lost and the
wife can't share files with me! So you know how serious that is!!
Thanks for the help folks!

 

[Chuck]

Both computers are WinXPSP2 on a wired D-Link DI 604 router & cable modem.
On computer #1, using ZoneAlarm 5.5 (free)it seems fine to
be able to share files etc. However, computer #2 which is using the WinXPSP2
Firewall they will not share files expect for the printer. I do not know
where in WinXpSP2 Firewall to put required info so #2 can share with #1. If
ZA is shutdown it shares files. Turned on, ZA blocks #2 from reading my
files. I put in #2s Address/Sites & Trusted. I'm not familiar with WinXPSP2
Advance Service Settings and where I find the Ports numbers to connect #2 to
find #1 computer? Do I need TCP or UDF? Internal or External or both? ZA
Alert "Protected" Showed me it blocked me from #2s IP & (TCP Port 1086)[TCP
Flags: S] More Info was even more confusing. So, now I'm totally lost and the
wife can't share files with me! So you know how serious that is!!
Thanks for the help folks!

For Windows Firewall, just enable the File and Printer Sharing exception
("Exceptions" tab), and edit the exception to make sure it's Scope is set to
subnet.

 

[Guest]

First off, you are already behind a router, which acts has a firewall
(probably better then Zone Alarm.

1. I would uninstall Zone Alarm

-- Now you have to enable File and Print sharing (int he XP Firewall)

1. Go to Start-->Control Panel --> Network Connections --> Select your
network connection.
2. Click on the 'Properties' button. Click on the Advanced Tab. Look
around here, make sure File and Printer sharing is enabled (as an Exception).

If by chance you keep on getting a log on prompt, which forces you to use
Guest as a username.... Paste the below text in a file, save the file with
an extention of .reg. Now just double click on the file, and merge it.

[Copy Below]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"forceguest"=dword:00000000

[End Copy]

 

[Bob Willard]

First off, you are already behind a router, which acts has a firewall
(probably better then Zone Alarm.

1. I would uninstall Zone Alarm

Arrrrgh. The router acts as a firewall for inbound traffic, but it does
nothing to stop outbound traffic (from trojans and other malware that
you accidentally download) -- that's a big advantage of ZoneAlarm and
the like.

There is nothing wrong with running ZoneAlarm behind a router. I run it
on each of my PCs, and I use a router to get to the 'net.

 

[Guest]

I strongly agree with you Bob! I don't believe I'm the only person inn my
similar situation. I hope someone will be able to help me resolve the
problemm I have.

 

[Bob Willard]

I strongly agree with you Bob! I don't believe I'm the only person inn my
similar situation. I hope someone will be able to help me resolve the
problemm I have.

:

For configurations like yours (and mine), with a bunch of PCs behind a
NAT router, I suggest running ZoneAlarm (or something similar) instead
of ICF (a/k/a Windows Firewall). ZA does everything that ICF does and,
unlike ICF, it blocks outbound traffic. If you use DHCP on your LAN
with the router as the DHCP server, then use ZA's Control Panel on each
PC to add a range of IPAs to ZA's Trusted Zone; for example, if the
DHCP server hands out IPAs like 192.168.1.1xx, then Add a Range of
192.168.1.0-192.168.1.255 to cover all PCs, the router, and broadcasts
on your LAN.

 

[Interrogative]

For configurations like yours (and mine), with a bunch of PCs behind a
NAT router, I suggest running ZoneAlarm (or something similar) instead
of ICF (a/k/a Windows Firewall). ZA does everything that ICF does and,
unlike ICF, it blocks outbound traffic. If you use DHCP on your LAN
with the router as the DHCP server, then use ZA's Control Panel on each
PC to add a range of IPAs to ZA's Trusted Zone; for example, if the
DHCP server hands out IPAs like 192.168.1.1xx, then Add a Range of
192.168.1.0-192.168.1.255 to cover all PCs, the router, and broadcasts
on your LAN.

Bob,

There are only 2 probs I have with that:

1) ZA Free in "out of the box" mode doesn't NAT. You need ZA Pro for that.

2) Don't EVER consciously allow auto assigned IPs on your computers for
their home LAN operations. XP is notoriously SLOW to use the local LAN that
way. Manually assigned IPs are so much easier and in ZA Pro you can enter
the entire LAN as Trusted, if you wish and then turn Trusted Zone to Low
which means OFF. As Internet Zone will be on and protecting and assuming you
trust the members of your local LAN, all will be OK.

 

[Bob Willard]

Bob,

There are only 2 probs I have with that:

1) ZA Free in "out of the box" mode doesn't NAT. You need ZA Pro for that.

2) Don't EVER consciously allow auto assigned IPs on your computers for
their home LAN operations. XP is notoriously SLOW to use the local LAN that
way. Manually assigned IPs are so much easier and in ZA Pro you can enter
the entire LAN as Trusted, if you wish and then turn Trusted Zone to Low
which means OFF. As Internet Zone will be on and protecting and assuming you
trust the members of your local LAN, all will be OK.

1. Your router does NAT, not ZA. ZAF and ZA$ both work fine on PCs which
use DHCP.

2. Getting IPAs automatically via DHCP has no effect on network speed,
since DHCP is only invoked about once a week plus once per reboot.

And, as I suggested, you can place all PCs in a Trusted Zone by adding
a single IPA range, whether IPAs are assigned statically or via DHCP.

 

[Guest]

Oh-Oh, I think I'm getting lost, but..... Sounds like the easy way out would
either both use ZA or the Win Firewall.
Our 2 computers have specific IP's and I set hers (#2) as Trusted and mine
says Internet, Is that correct? I can view her files okay. She can't get to
mine even though my ZA setting says she's Trusted. The ZA Alerts & Logs show
me similar info: Sometime the Rating is High sometime Medium even though both
are set at medium. Type is always Firewall, Protocol says either TCP
(flags:s) or occasionally UDP. No Program shown. Source shows her (#2) IP:xxx
or xxxx (a : & different #) Destination is my IP, and again a colon usually
followed by, but not always a 139 or 137. Direction is Incoming and Action
Taken is Blocked. AND is shows Destination DNS is ME #1.
In her WinXP Firewall I put in my IP but it asked for External or internal
TCP or UDP info. So, I though with the correct setting that would solve the
problem. But, as I said earlier I'm lost and getting more & more confused
trying to follow the posts.

 

[Bob Willard]

Oh-Oh, I think I'm getting lost, but..... Sounds like the easy way out would
either both use ZA or the Win Firewall.
Our 2 computers have specific IP's and I set hers (#2) as Trusted and mine
says Internet, Is that correct? I can view her files okay. She can't get to
mine even though my ZA setting says she's Trusted. The ZA Alerts & Logs show
me similar info: Sometime the Rating is High sometime Medium even though both
are set at medium. Type is always Firewall, Protocol says either TCP
(flags:s) or occasionally UDP. No Program shown. Source shows her (#2) IP:xxx
or xxxx (a : & different #) Destination is my IP, and again a colon usually
followed by, but not always a 139 or 137. Direction is Incoming and Action
Taken is Blocked. AND is shows Destination DNS is ME #1.
In her WinXP Firewall I put in my IP but it asked for External or internal
TCP or UDP info. So, I though with the correct setting that would solve the
problem. But, as I said earlier I'm lost and getting more & more confused
trying to follow the posts.


:

OK, back to basics -- Since your PCs are behind a NAT router, turn off ICF
(the Windows Firewall) forever. Install/enable ZoneAlarm on both PCs. On
each PC, invoke ZA's Control Panel, click on Firewall, then on Zones, then
Add an IP Range (to the Trusted Zone) of 192.168.1.0-192.168.1.255, then
click on Apply -- that will place both PCs and the router in the Trusted Zone
of each PC. {I'm assuming that each PC is set as a DHCP client and that
the router uses the common 192.168.1.1 IPA, and is the DHCP server, and uses
the standard DHCP range of 192.168.1.whatever; if you want static IPAs, then
disable DHCP on the PCs and give them 192.168.1.111 and 192.168.1.112 and give
them masks of 255.255.255.0 to get the same effect.} Now that your entire
LAN is in the Trusted Zone of each PC, the IPAs will not impede sharing.

If I recall correctly, you already had the protocols and network APIs OK,
so fixing the firewalls and IPAs should fix your problems. If something else
is wrong, let us know.

 

[Interrogative]

1. Your router does NAT, not ZA. ZAF and ZA$ both work fine on PCs which
use DHCP.

Sure Bob but ZA free doesnt in "out of the box" mode so your comment that
"then use ZA's Control Panel on each

2. Getting IPAs automatically via DHCP has no effect on network speed,
since DHCP is only invoked about once a week plus once per reboot.

Wrong. It is a common thing that auto assigned IP with XP is terribly slow
for the XP to get on with the network. It can take, in some cases I have
witnessed, up to 10 minutes for it to become part of the network. However,
set to manually assigned and it is seconds to become part of the network.

And, as I suggested, you can place all PCs in a Trusted Zone by adding
a single IPA range, whether IPAs are assigned statically or via DHCP.

If they are trusted, why have a firewall like ZA? You could remove the
possibility of future stuffups by NOT using it. After all, each XP machine
would have a firewall and even if pre-SP2, you can check if it is turned on.

 

[Interrogative]

Oh-Oh, I think I'm getting lost, but..... Sounds like the easy way out
would
either both use ZA or the Win Firewall.
Our 2 computers have specific IP's and I set hers (#2) as Trusted and mine
says Internet, Is that correct?

Correct and manually assigned, faster to become active on the network with
XP.

I can view her files okay. She can't get to
mine even though my ZA setting says she's Trusted.

I came in a little late on this - which files? In XP, you not only have to
share C drive, some folders require the actual folder ITSELF to be shared to
be open on a network.

The ZA Alerts & Logs show

If you have ZA free, it will apply to Internet. I would have your XP
firewall on her machine and basically it will work. I have an XP laptop on
my home LAN and it goes out to Internet effortlessly through this machine
and shares properly within the LAN as well. If you are picking up alerts
from your home LAN in ZA free edition, you have another problem. ZA FREE
isn't for that purpose. ZA Pro will do that fine. If you have ZA Pro either
paid for or not, set the TRUSTED network alert level to LOW (which is
basically OFF) and it will get through just fine so long as proper sharing
is set up.

 

[Bob Willard]

Sure Bob but ZA free doesnt in "out of the box" mode so your comment that
"then use ZA's Control Panel on each

At first invocation (out of the box), ZA uses the most protective settings.
If you wish to decrease the protection, you use ZA's Control Panel to define
the pieces of protection you want decreased or eliminated. This is the same
approach used by the Windows Firewall in XP SP2, and it seems sound to me.

Admittedly, ZA does not read the user's mind very well. ;-)

Wrong. It is a common thing that auto assigned IP with XP is terribly slow
for the XP to get on with the network. It can take, in some cases I have
witnessed, up to 10 minutes for it to become part of the network. However,
set to manually assigned and it is seconds to become part of the network.

DHCP takes time; no argument. But what did you find wrong with my statement
that "DHCP is only invoked about once a week plus once per reboot", eh?

Remember the context of this thread: a SOHO LAN with a handful of PCs
running behind a NAT router which may be the DHCP server. In a configuration
like that, have you ever seen DHCP take 10 minutes?

If they are trusted, why have a firewall like ZA? You could remove the
possibility of future stuffups by NOT using it. After all, each XP machine
would have a firewall and even if pre-SP2, you can check if it is turned on.

The advantage of ZA (and similar firewalls) over ICF (the Windows Firewall)
is that ZA blocks some outgoing traffic, while ICF does not. Thus, ZA
provides some protection from the "phone-home" class of malware.

The ICF of XP SP2 is greatly improved over the pre-SP2 ICF. Yet, AFAIK, it
does not block any outbound traffic. So, I recommend ZA (or the like) over
ICF for SOHO routed LANs.

{If ZoneLabs feels the urge to send me a large check for this unsolicited
testimonial, my wife will undoubtedly cash it. Hasn't happened yet.}