Windows Explorer trying to connect various IPs

Glad to help... These type of debates help us all to better understand how these things work.

The Log Viewer display in ZAP is misleading, that's all this is about. I'm sure that the alerts on Windows Explorer are because it is the parent, not because it is accessing the exact same ports at the same time as the soulseek program.

As a matter of fact that can't happen. Two programs can not talk on the same port at the same time. If soulseek gets a connection (from a local port on your system to a remote port on the Internet server), those are exclusive connections. Windows Explorer can not also connect on both those exact ports while soulseek is on them. As I said, Windows Explorer is apparantly the parent prgroam in this case, so the ZAP alerts look that way whenever a block occurs. Windows Explorer is not "shadowing" soulseek and connecting to everything at the same time.

The information is in the details... You need to select each alert one at a time in the log viewer panel and look at the detail description section for more information. Unfortunately, ZAP has never consistently reported full information on Windows Explorer activity since I've been using it.

But, where would the malicious traffic come from, if not from a program? Using the svchost.exe example here, where you grant it "allow access out to Internet" in the Programs tab, which is what has been recommened... Malicious traffic can not just "get inside" svchost.exe without some other program involved. If you get a Trojan on your system that is missed by your malware scanner, and if that Trojan is the type that does DLL injection, ie. trying to attach an infected DLL to svchost.exe, ZAP's component control will see that and give you an alert.

Now, there are many types of malware out there, and they all work in different ways, but malicious traffic must come from somewhere. If it's a standalone program, ZAP will see it trying to access the network, or if it "calls another program" to access on its behalf. If it's a DLL injection, then ZAP's component control will alert on that and you can still catch it.

On XP systems NetBIOS is enabled by default originally. One thing you should do is reboot your system and don't start any applications (like soulseek, browser windows, etc. - run nothing), just dialup to the Internet normally then open a CMD window: ( Start menu > Run... "CMD" without these quotes. ) This will bring up a command window on XP that looks like an old MS-DOS window. In there type: netstat -ano

This will list the ports open on your system. If you could copy and paste (or attach a screen image of it) here, then we'll know what ports start up listening on your system after a clean reboot. It'd help determine what's what.

Unchecked like they are in your image, they are certainly disabled. But you also need to highlight the "Internet Protocol (TCP/IP)" item then hit that Properties button... On the new screen that comes up, hit the Advanced button, then the "WINS" tab. NetBIOS is in there (on every network applet you have - check them all if you have more than one). If you aren't using it, make sure it is disabled there.

I guess, but it isn't necessary.

That is exactly correct. The same happens with me - very rare, but occasional "late DNS replies" cause an alert in ZAP asking about incoming packets from my ISP's DNS server. Now, I'm not saying you need to allow them, I'm just explaining what these alerts are... Frankly, I block those alerts when they pop-up, and still have no problems browsing. So, it sounds like you are seeing what a lot of us see, occasional DNS alerts from late response packets.

Yes, but why speak in "probablys" here? What you posted there is missing too much information. If you want to discuss logged items, then post the entire thing. Log entries include protocol, src/dest ports, flags, time stamps, src/dest addresses... The only thing you should not post is your full public (ISP assigned) IP address, but all the rest is needed if you want people to comment on what's going on.

Well, that depends entirely upon the range you are entering, how big it is and who uses it. For DNS servers, you really ought to just list the specific DNS server addresses your ISP tells you to use and not a range. Who knows, some ISP's can assign customers to addresses "near" their DNS servers. What if you end up allowing another customer (like yourself) in because you allowed too big a range?

Most of us on non-LAN connected systems (those that either dialup directly or use similar connections from our PC to ISP) have 3 addresses on our systems when connected. First is the public IP address assigned by your ISP, like "69.1.2.3". Then there is 127.0.0.1, which is "localhost" for loopback connections. And also there is 0.0.0.0, which simply means "all interfaces".

Many forms of programs use lookback (connection on 127.0.0.1) for different purposes, but these connections don't ever leave your PC. They're sometimes used for programs to pass messages to each other, or even to other parts of themselves. It's a good little communication mechanism, but remote systems can not actually talk to programs listening on your 127.0.0.1 network interface, because it's only inside your system and does not accept connections from outside.

Your public IP address is obviously what the world sees. If you allow incoming connections, then systems from anywhere might be able to connect into you. But, 0.0.0.0 is special... A program on your computer listening on 0.0.0.0 is listening on all network interfaces that you have available, network-wide (Internet included) or just local to your PC.

None. Personally, I've disabled ALG but if you don't do that, it is somewhat similar to the others we've been talking about - a special OS based service program that you'd really need to do a lot of study on to determine what accesses, out of all the types it can do, are actually used on and needed by your system.

Well, this is all just terminology here, and Zone Alarm terminology in terms of the alerts you will get.

In the basic sense, data packets on the network are always either incoming or outgoing. That's pretty obvious. You fire up a browser and type www.google.com and hit Enter. (Keeping it very simple for this paragraph and not worrying about IE using loopback or doing DNS lookups, or anything else...) The first thing that happens is your browser sends outgoing data packets to the google.com webserver. Google sees your request and replies back to you. These reply packets from Google are "incoming" packets to you, but IE is still the program that initiated the connection and is in control of what's going on, so ZAP says IE is doing outgoing communications...

From ZAP's program perspective, incoming connections are those that were initiated from somewhere outside and are heading into your system without you requesting them. So, it alerts about incoming packets or connections when it sees "unsolicited" inbound packets coming at you.

In the case of soulseek, you start soulseek locally and ZAP sees that and calls that an outgoing connection. Even if later on, someone out there requests a file from your system through the existing connection soulseek has to the central servers, from from ZAP's program control perspective, soulseek is still an outbound connecting program talking over an existing connection to those servers.