OK, I think I've found the culprit. Zone Alarm does seem to be blocking UDP between host and client, and I can't figure out how to stop it without completely disabling my Internet firewall. It thinks that the ethernet adaptor for the LAN is to the internet, and it won't allow me to edit or change that. It's the only firewall I have, so I can't take it down.

I may have to upgrade from the free version to Zone Alarm Pro, because while the Help menu says that there's an option for setting it up for ICS, it doesn't seem to display it for the version I have.

[Update a few minutes later]

I finally figured out how to change the zone for the adaptor from "Internet" to "Trusted." My LAN is working properly now, but clients are still not seeing the internet.

[Late afternoon update]

I'm having trouble thinking that it's a Zone Alarm problem at this point, because I'm watching the log, and I've seen no activity on the LAN being blocked, even when I attempt an internet connection from a client.

I can ping the host machine, but I can't ping anything on the internet, either by name or IP.

This is most frustrating.

[Update a couple hours later]

At Ian Woollard's suggestion, I momentarily disabled Zone Alarm, and that was the problem. It seems to work if I reduce the security level for the Internet Zone from "High" to "Medium."

I'm not sure that I can configure it more specifically without getting the full version, though.

Now the question is, do I spend the forty bucks on Zone Alarm Pro, or on a router...?

I'm inclined to the former, because I can buy it on line, and it will be a good belt-suspenders system for when I get a good hardware firewall up.

Lets see for my zone alarm I have the following internet security settings.

High security zone settings
Allows programs and servers with permission to access the internet

Blocks all other traffic except:
Allow outgoing DNS
Allow outoing DHCP
Allow broadcast/mulitcast
Allow incoming ping
Allow other incoming ICMP
Allow incoming UDP ports:67

Which version are you using? Zone Alarm Pro? I'm running the free one, but maybe I'll have to upgrade to get the flexibility and functionality I need.

Hmmmm...if ZA were the problem, wouldn't I be seeing blocked attempts in the log? There's no activity showing on the LAN--just hits from the outside on my internet adaptor.

Just try turning ZA off for a few minute or two. It's very unlikely you'll be infected or attacked in that time.

If you get connectivity, you have atleast isolated the problem. If you don't, you have atleast proved that it isn't that, or isn't only that.

Why not just use the firewall and router that come with XP? All you need is an extra network card in the puter that connects to the internet.On the puter that connects to the internet,right click my network places,click properties,right click the connection to the internet, click properties,click the "advanced" tab, fill in the internet connection sharing and firewall boxes.On the other card,plug it into your hub/switch. plug the rest of your puters into the switch/hub.there you have it.

There's lots of good stuff on ZA and ICS here:

http://forum.zonelabs.org/zonelabs/search?q=ICS

It looks rather like you can only use ICS with pro or plus versions of ZA.

See:
http://forum.zonelabs.org/zonelabs/board/message?board.id=cfg&message.id=10263

There's a description of how to set up ZA:

http://don.hoover.net/index.html

but they appear to be using ZA pro there.

I've recently found that version 5 locks up my XP computer entirely, due to incompatibilities with a perfectly legitimate spam filtering program. and I was forced to drop down to ZA 4.5 which worked fine. So, I'm not entirely happy with ZA, it seems very opaque when it doesn't work.

In your case a message from ZA telling you that they don't recommend using it with ICS and recommending an upgrade would have saved so much hassle, and more likely to land them a sale.

Still, ZA has kept my computers safe for quite a while.

Now I'm no network guru and momma is the local computer hardware type, but our experience here and at our last house were similar to yours and we found that ZA does not play well with XP. We went back to Win 2K and all is well. Of the ZA people and Win Tech Support neither had answers or solutions for our problems. They blamed, and here's the odd part, each other!!

Why not just use the firewall and router that come with XP?

Great idea!

If only I had (and wanted) XP...

Oh god, ZA and ICS!!! Arrghhh, I didn't see anything blocked in the logs when I once had the same problem at a client's house last year either.

ZA sux IMHO, don't know what's better, but ZA sux.

"Why not just use the firewall and router that come with XP?"

Because XP firewall is broken to the bone. It will start up IP stack long before FW becomes active.

I did use cheap D-Link router/firewall for quite long time with no problems whatsoever, it even did dynamic DNS.
But then i needed a large storage server and put an old cheap 300mhz Celeron to the task, with FreeBSD installed. Works very well as a firewall at the same time, complete with Snort and everything.

Don't use ZoneAlarm - nothing but grief down that road! Before I put a BSD box in front of my Windows machine I used Kerio Personal Firewall (http://www.kerio.com/us/kpf_home.html). That never gave me any trouble with ICS, and it is fully configurable for free - always a plus!

The config is very easy too - basically turn it on, and it will default to blocking everything and asking you what to do when it detects activity. Authorize what you want, block the rest - after 10 minutes or so it will have seen all it needs to build a rule set.

I'd look at something other than ZA Pro. I've been using it for a while and when I rebuild my machine next (sometime this year) I'll be throwing it out.

It's not just connectivity problems but I also find that certain web pages simply refuse to load with it turned on. I've checked with other ZA users and they have the same problems.

I'd scrap Zone Alarm. I had the pro version for a month and it completely messed up the computer. I had to hack into the system in order to uninstall it. The darn thing would not recognize my password and I had no net connectivity for a month.

From your posts on this subject, you mentioned that you do, in fact, have a router back in California that will eventually be brought on-board in Florida, correct? I don't see the need to spend your money on yet another one to hold your pants up until that router makes it to FL. While I'm no ZA expert, it sounds like most other people here aren't too fond of it, but if you only need to use it for a short time, I would say go with the software solution for now, unless you think that you're going to need another router down the line. More likely, by the time you decide to install another router, Gbe will be more standardized, and you'll be stuck with two 10/100 routers.

Just my $.02 (USD, not CND)