Zone tips Setting Application's Zone Your are always in charge of your own Internet security. You may decide not to connect to the Internet at all -- and be totally safe. You may decide to freely allow any kind of access from the Internet to all your applications -- and be in utter danger. What you probably want to aspire to is to have reasonably safe system allowing you to work with the Internet. The basic principle is simple: keep the Internet connectivity minimized. If you know why certain application issues Internet connection, allow it. If you don't, don't. Of course there are application that should be allowed to make the connections: Internet Explorer, Messengers, Email programs etc. Usually these applications make outgoing connections only. On typical PC incoming connections are VERY seldom. They are usually needed for Internet services that your PC provide. Surely there are exceptions, for example, getting files via FTP protocol requires you to allow incoming connections for your ftp client. Some FTP clients have "passive mode" options. It prohibits incoming connections and you usually want to do exactly that. When you just click to ftp link in your Internet Explorer and you have no control on using passive mode. Then you have to enable incoming connections for your Explorer in order to be able to use ftp from within it. For the "normal" access to the Internet use "Internet Client" or "LAN+Internet" zone. For downloading use "Internet Download" zone. For most cases the latter is equal to "Enable ALL" zone. There are .... correctly. Consider following instructions. "System". This is not a real applications, but rather a part of Windows core. It requires enabled outgoing connections to access remote (shared) disks. Incoming connections are used to access your PC shared resources (disks and printers). For this purpose System uses "13x and 44x" ports. "Generic Host Process for Win32 Services". This is the most usable service for your Internet connectivity. Every time you want to establish connection to any site you need to resolve its name into its IP address. This is done by these Services connecting (both outgoing and incoming connections are used) to "Domain Name Service (DNS)" via port "53". If your Internet connection uses dynamic IP address (and it usually does) these Services also obtain an IP address for you from your provider's "DHCP" service (port "67", both outgoing and incoming). This is why "Internet Client" (or "LAN+Internet") zone is most suitable for this application. "ALG (Application Level Gateway)". Windows XP uses this application to help other applications establish their Internet connections. It's used by all Internet-oriented applications including any application wishing to download any data from the Internet. This is why "Internet Download" (or "LAN+Download") zone is most suitable for this application.