I submitted a software issue to Zone Labs and they responded with a great document which helped me to solve my issue. Not wanting to keep this information just for me here it is, very good stuff to help us with alerts. Their document follows;
================================================== ===============
This information applies to

ZoneAlarm Pro ZAP 3.x
ZoneAlarm Plus ZA+ 3.x


A Windows service or process wants to access the Internet.


There are some default Windows processes which may prompt for access
to the Internet. In some cases you may see some of these
processes 'listening' for incoming connections.

Note that if a program asks for Server rights and you say Yes, it
will have Server rights to both Trusted AND Internet Zones by
default. If the program only requires Server rights to the Trusted
Zone (i.e. if you have added the servers that the program will
connect to, into the Trusted Zone), you should go into the Programs
Panel and deny Access and Server rights for that program to the
Internet Zone.

The Services and Controller App (services.exe) is necessary in order
for you to surf the web.

Generic Host Process is most commonly used for DNS. If you add your
ISP's DNS servers to your Trusted Zone, then you can give this Access
to Trusted Zone only (and Server rights to Trusted Zone only if it
requires Server rights or something gets blocked).

Windows Messaging subsystem may be required by Microsoft email
clients - for more information, you can visit MS support:


RPCSS is the remote procedure call service.

SSH is a secure shell. This service supports the ability to re-
direct ports on both local and remote machines (for example, to pick
up mail from a POP server). This allows you to access non-telnet
services through an encrypted channel.

Depending on what else you are running, Windows may also prompt
Distributed COM services for server rights to the Internet.

If you are concerned with DCOM for network security reasons then
please continue reading. DCOM can be disabled but be aware that this
will disable the ability to communicate for any program that is
programmed to use DCOM, and may have unexpected results. Products
such as Microsoft Message Queue and Microsoft Transaction Server use

How to disable DCOM's ability to use networking:
The DCOM configuration utility is called DCOMCNFG.EXE. (By default it
is in W2K, in NT as of SP4; Win95 and 98 must be installed by user by
downloading from Microsoft).

Click Start > Run. Type DCOMCNFG. Under the ?Default Protocols ? tab,
select and remove all listed protocols. That should remove DCOM's
ability to communicate via a network.

Some other Windows services that you might see listed are:
-Windows Management Instrumentation
-Server Protect Win32-based Service
-Microsoft License Server
-Microsoft Management Console
-Logical Disk Manager Service process
-Internet Information Services

The following ports are used by Windows services:
-Universal Plug N Play (accesses port 5000)
-Simple Service Discover Protocol (accesses port 1900)

If you test your security and find these ports showing as not stealth
even with your Internet Zone set to high, this is likely due to a
security issue with the operating system. For more info and a patch:


NOTE - Some Trojans may try to use commonly used ports that Windows
services use, with similar process names, in order to trick you into
allowing them access.

For further information please see the Microsoft Support site at
http://support.microsoft.com. Some good articles to read (simply
search by article ID):

263201 (Windows Services)
262458 (Description of Universal PnP)
276507 (How to enable Universal PnP)

You can also select your version of Windows, type in the word ?port ?
and the ports you are interested in (or if ZoneAlarm shows a service
name, use that instead). This will often give you the information
you need.

Operating System:Windows XP Pro
Product Name:ZoneAlarm Pro
Software Version:3.7