I've tried to search the ZA help and forums on this, but it has only left me confused.

I've been using ZoneAlarm Free for over ten years. Throughout that time, I've always applied updates and moved to the new versions as soon as I was notified of them. On several occasions I made completley clean installs when I replaced a computer with a new one. But the changes in ZA 10 have made me realise and think about something I've never realised or thought about before.

That is that over the ten years, and through all the versions and clean installs, localhost/loopback/ has never been in the trusted zone in my ZA; it's always been in the internet zone.

I have never knowingly answered a configuration question as to whether localhost should be in the trusted zone; and I have certainly never moved it from trusted zone to internet zone. But it has always been in the internet zone, so I can only conclude that it is the default setting that it should be in the internet zone, not the trusted zone.

What's brought the matter up is ZA 10 not having the ability all previous versions had to leave ZA always asking if a particular program should have internet access or not. I have several programs that always need to access modules and/or other programs on the same computer via internet protocols to work, but which also occasionally try to connect out onto the internet, which I don't want to allow. Because localhost was, by default, in the internet zone, I left ZA always asking when those programs wanted access, and if it was to I would grant it (but leaving ZA set to always ask), while if it was to an external IP address I would deny it.

But with ZA 10, I can't leave it set to always ask. And it's far too much hastle to manually change the ZA program permissions every session.

So it occured to me that if localhost/ was in the trusted zone, for those programs I could grant permanent permission for trusted zone access, while permanently denying internet zone access.

But that has made me think about the default settings. There's nothing about it in the ZA help documents or knowledge base. Searching in the forums has brought up a couple of posts where people say that ZA's default is to have localhost in the trusted zone. But I know it has always been in the internet zone for the 10+ years I've been using it, at least in my copies - I've never changed it, never answered a setup question about it, and if it had been in the trusted zone, then these programs wouldn't have been asking about access each time.

So, as moving localhost to the trusted zone would solve the ZA 10 problem the loss of ability to leave a program being asked about every time it's used has raised, I really need to ask a question:

Is there any good reason not to have localhost in the trusted zone? Is there any specific vulnerability or threat that would exist with localhost in the trusted zone that would not exist with it in the internet zone?

A second question would be, if there's no good reason not to have localhost in the trusted zone, why has the default been to have it in the internet zone all these years? But that's just curiosity. The important question is whether I can safely put it in the trusted zone now.

Thanks for any help.

(Laptop with Windows 7 64-bit, latest ZA Free, internet access via wi-fi to a Netgear router with nothing else on the network. Before a year ago it was Windows XP 32-bit, always latest ZA Free, USB cable ADSL Modem. But this is really a generic question about what a normal localhost ZA setting should be.)