I posted this as a resolution to a question of mine in the AV/FW section of the forums, but thought that it would be proper to post it here as a stand-alone tutorial/help thread. I'll totally understand if it's pulled as the info technically exists somewhere.
ZoneAlarm + DNSCrypt Tutorial:
Set your internet connection/LAN to the "public" zone.
Under firewall settings, set Public Zone to high. (Never trust a full network, Google agrees.) Also there, set Trusted Zone to medium.
Under firewall advanced settings, go to Trusted Zone and under the medium settings section, check every box. For the "block ports" checkmarks, you will enter 1-79,81-442,444-65535.
Click update, let it fail. Check the firewall logs for IP address using port 443 and 80 at the time of your attempt and copy them somehow.
Go to the firewall page and click "view zones." Add the collected IPs as ranges. If the IP was 220.127.116.11, use the range of 18.104.22.168 to 22.214.171.124.
Click update again. Three things can happen. Nothing, definition updates work only, or both program and definitions update correctly.
One, you have the wrong IP or ZA changed update IPs instantly. Two, you added a correct 443 ported IP. Three, you added the correct 443 and 80 ported IPs.
You will be repeating the process for the course of about 3 days before you have covered essentially all of ZA's IPs and you can worry about updates no more.