I found a jewel for you! See section titled
Zone Alarm Log Info:
http://robertpanderson.com/zonealarm1.html
It will explain what you are seeing. I remembered the FWIN- incoming and the FWOUT- outgoing, Here is PE: The "PE" entry informs you that an application on your computer attempted to access the Internet.
Example 1:
PE,2009/12/06,12:19:38 -5:00 GMT,Antivirus Scheduler,C:\Program Files\Avira\AntiVir Desktop\sched.exe,208.111.157.78:80,N/A
- PE> indicates that you said "yes," when you were prompted to allow an application on your computer to access the Internet.
- The IP208.111.157.78 address and the port number 80 is for Limelight Networks in AZ that Avira connected to.
- Avira contacted the internet and got the scheduled update.
Example 2:
ACCESS,2009/12/06,11:54:38 -5:00 GMT,Antivirus Scheduler was unable to obtain permission for connecting to the Internet (208.111.157.181:HTTP); access was denied.,N/A,N/A
On the other hand, Avira couldn't complete the update. Note the type of access was HTTP and Not to port 80.
Example 3:
PE,2009/12/06,10:00:20 -5:00 GMT,Dell Support,C:\Program Files\DellSupport\DSAgnt.exe,74.128.19.102:53,N/A
Dell Support program on your system attempted to contact the internet- most likely for an update.
Do you need to allow this to continually access looking for update? No. Turn off the auto-update feature.
Example: 4
ACCESS,2009/12/06,10:01:22 -5:00 GMT,Sonic Update Manager was temporarily blocked from connecting to the Internet (74.128.19.102NS).,N/A,N/A
ACCESS >an application was blocked because it did not have access permission.
IP74.128.19.102 is for Internet Connections Suite in KY
Sonic attempted internet access for update, but has not been given permission for this.
The firewall takes into consideration the IP address, the port number and the protocol. If it is satisfied that it meets all of the configurations that have been set, it will allow the connection.
If you look at the log, Sonic made 15 more attempts to access between 10:00:40 and 12:46:42 on this same date and the firewall blocked them.
I guess what I'm trying to show you is that the fewer auto-update you have, the less incoming and outgoing attempt to update or access will be made and the firewall can sit back and rest occasionally.
Another point to consider is what add-ons you have in the browser. Do any of them have internet access to send data? This could be another cause of extra activity
See this:
Firewall Forensics: What Am I Seeing by Robert Gramhan: