Alex-

Both Dan W and JW have valid points.  If you go with Dan W - and firewall
everything - you better use the same software on every PC unless you want to
spend even more $$'s on Tylenol and Advil.
You'd also be well advised to install identical NIC hardware if you can.

I too have a Gateway PC w/dual NICs setup as you described. I use a Belkin
4-port DSL router as HW firewall (which you did not mention in your setup: I
think a HW firewall - such as the Belkin or LinkSys routers - between your
cable modem and gateway ICS host is a very worthwhile improvement to your
setup), a Linksys GigaSwitch for my workgroup, with Norton Internet Security
installed and Windows firewall is disabled.
As long as your cable-modem connects ONLY to the ICS host PC (and no other
PC connects directly to your modem), then your Firewall protection should be
effective for all PC's concerned (until some hacker figures out how to defeat
that capabillity of memory-resident SW firewalls).
I don't know how easy it is in ZoneAlarm to configure workgroup
connectivity, but it's a peice of cake in Norton IS. They have created
"zones" similar to IE which makes conceptual understanding of how to
implement their software Tylenol-free.

JW's points re: "free" (mostly, but some paid-for ones, too) anti-virus and
other mal-ware detectors is valid in that these programs are more like the
old-style car "idiot-light" that tells you after the engine has fallen out,
that indeed, the engine has just fallen out. The malware has already
unleashed itself. An ounce of prevention... JW's advice is well to be heeded.

I would submit you consider this also in your evaluations as to how to best
service your overall Security needs:
"Real firewalls" are considerably complex animals. Most PC "Power Users" are
not capable of managing them, they take a real Security Professional to
install, configure, and maintain: they are quite complex. The huge majority
of the firewall products which "regular" consumers like you and I consider -
mostly because they are inexpensive and affordable to us - are merely
scaled-down simplified versions and have the majority of the tweaks and
nuances of a Real firewall pre-determined and decided for us by the
manufacturer so they can sell it at $50/pop and still make a profit. What
that does is to limit the flexibility the product has of being adjustable to
suit any particular indivuduals' specific need - or environment - and some
features are just not flexible at all. But in order to be more than just
functional, flexible capability has to exist, so manufacturers do that. But
not everybody is flexible the same ways, even across similar product lines or
families. This causes firmware/upgrades/updates to be an additional
maintenance chore for the Administrator (i.e. you). But if you implement
multiple solutions on the same "layer", things can get mixed up fast if just
one little setting who-the-heck-knows where gets changed (even if they're not
on the same layer, this often occurs). And unless your expert enough in
knowing how all the stuff you can't change works with all the stuff you can
change, and then know how to recognize when somthing is set this way when it
should be that way, twiddling with a handfull of firewalls instead of just
one can be frustratingly time-consuming and cost-inefficient (think of what
the electric company power meter looked like when The Griswald family house
XMAS lights finally came on in Nat'l Lampoons Christmas Vacation w/Chevy
Chase).
On the other hand, you might need or actually like to get hip-deep in modern
software technology. It's not like only rocket scientists can do it. If I
can, then anybody can. Just prepare yourself for the picky mentality of
Firewalls. After all, their sole purpose in life is to keep what wasn't asked
for out, and let out *ONLY what you tell it* can go out. The more exceptions
(e.g. rules) you build (or have to put in because you have placed more
firewalls on other PC's that are really behind your REAL Firewall) will
*always* make things more difficult for you to administer (i.e., take care of
in a clean and well-documented way), so that the things you want to
accomplish amongst your own little LAN can not only be done, but be done
easily and simply.
If the purpose of your LAN is more of a business or career-based/supportive
role in your life, then perhaps the headaches and time-consumption that
firmware upgrades (to routers and modems), new software releases/upgrades and
updates (firewall, and lest we not forget to mention MS Service Packs), will
bring to you in order to maintain a LAN where each PC is a fortress unto
itself will entail, is worth it to you. Then again, perhaps not. But that's
your decision to make, I'm not trying to make it for you.
But if your LAN is more of a convenience (like a home network where most of
the computing resources are utilized for pleasure or recreational activities)
IMHO I would not spend nearly that amount of effort necessary in fretting
over every little mal-ware. I'd keep my one Firewall as Robust and Current
and simple as possible, in one place; and let the children inside the
playground have an open sandbox - after all, I still wear the belt in my
household, the rules will be obeyed! Just keep handy a periodically updated
ASR-recovery system restore set on a bootable CD, and tell the family THEY
are responsible in backing their Documents and Settings folder to the
Gateway/server, so when you need to refresh a system, you can do so fairly
easily. Perhaps the first rebuild or two will do more in teaching youngsters
the value of responsibly maintaining a daily "chore", when they lose their
collection of MP3s for the 2nd time because they didn't do backups. A pretty
cheap way to learn a valuable trait...

As long as you keep your frontline security tools (anti-spyware, virus, and
firewall) on your gateway to be the robust best-you-can-afford kind, and then
up-to-date, and the other PC's behind it isolated from a direct connect to
the internet *or any other computer*, and everybody exercises common sense
practices about removable media (floppies, CD's Zips, etc) from external
sources, save yourself from some headache in both configuring and maintaining
firewalls on every machine (just keep your ASR restore backups current after
each new SW install/upgrade). Unless, of course, you want an exercise that
will require you to expand both your knowledge and technical capability with
computing; such a project - successfully completed - will most certainly
expand that knowledgebase.

Remember: with computers unless EVERYTHING is right something is WRONG and
there aren't enough RIGHTS in the world to overcome one WRONG to a computer,
it will just refuse to work until you make EVERY "bit" RIGHT. And firewalls
are the pickiest of softwares to a computer.

But if your LAN security needs are to protect data and resources more vital
than the family Entertainment Consoles, perhaps a more robust approach is
called for. Isolating each PC has it's advantages. But... if each PC has the
same level and kind of protection on it and something gets in onto one of
them, then the others aren't appreciably more protected than the first one
was. And unless you can run to the AP or gateway PC to do an emergency
disconnect faster than those bits and bytes can whiz around your LAN... But,
then again, having each PC port-configuring-capable makes it possible for you
to micro-manage the ports on each of the PC's. Oh - BTW - there are over
65,000 ports... on *each* PC.

I realize this has been a long spill, but I hope it's helped you evaluate
your situation to a more heightened state of clarity for your needs.

I also like ZoneAlarm for the superior flexibility in handling both inbound
and outbound traffic.  With ZA, it's not just Yes or No.  If i am expecting
inbound traffic from somebody particular on a specific port, i can set ZA to
ask me, and answer Yes if it's who i expect, or No if it's somebody i do not
expect.  For outbound traffic, i can answer Yes if it's a program i know
needs outbound permission, or answer No if it's a program that suddenly
wants to break out without my expecting it.  I can even change settings in a
Limited Account.  The disadvantage is the complexity and learning curve.
The advantage of the XP firewall is it's simplicity.  Norton's firewall got
some unflattering remarks in the documentation for LeakTest on www.grc.com

To answer your question -- yes on both counts.  I have just recently
started messing with Windows XP firewall.  I previously utilized Zone
Alarm and have recently been using Norton's Internet Security firewall.
 I like ZA and Norton's for the very reason that it doesn't take a
rocket scientist to see which applications are using Internet connections.

On the flip side, I like Windows XP firewall to protect inbound traffic
and typically use it on server devices.  In which case, I am advertising
services over a network and the firewall is just one way to ensure that
I don't unintentionally open a port for enquiring minds.

Gateway firewalls usually end at the router, so peer-to-peer access
should not be affected.

Alex McClane wrote: