Just enabled HIPS-like "process inspection" popups on Firewall. To get Firefox 18 --or IE 9 -- up and running I have to approve as an example: Firefox (listen on 127.0.0.1 49191) Explorer (listen on 127.0.0.1 49191) Userinit (listen on 127.0.0.1 49191) Sandboxie (start.exe listen on 127.0.0.1 49191) Upon approval FF establishes loopback on 49191 -49192. The other processes do not open any ports, but are allowed in the Firewall with 127.0.0.1 to 0.0.0.0 approval. Is this process stack normal? Am I opening my machine to exploits (Explorer, I am told should not need any net access on a secure machine, nor start.exe (Sandboxie). I am new to HIPS, just need a firm place to start. Thanks.