Pretty much all data that is sent over the internet (such as the web page you are reading this reply on) is broken up into separate chunks of a thousand or so bytes. Each chunk, or packet, is sent separately, with a header saying where it is going, and a sequence number. The receiving computer glues the packets back together in order, and sends out requests for copies if a piece is missing.
A firewall watches these low level packets coming and going to your computer, and refuses to let some of them pass (typically, just discards them).
The most basic firewall will let your computer send out any packet, but will only let packets back in that are recognized as replies to something you just sent out.
Zone Alarm goes a bit further, and tracks which applications on your computer are sending what kinds of packets. You can allow your web browser to send requests to web servers (http://... places), but keep some randomly hacked virus infected application from connecting out.
Fancier firewalls will have a lengthy list of rules, saying who can send or receive what from whom when. A place like Amazon, Yahoo or FreeRepublic requires such fancier firewalls. Well, actually many places require such. Pretty much anytime you start providing some service on your computer that others can access from across the internet, you need to get much more serious about firewalls.
This keeps a list of what packets it discarded (filtered out), so you can see what was kept out.
This is just to help you see what is going on.
You connect it between your cable (or DSL) modem and your PC:
They are easier to use, provide a more robust firewall (quite a bit harder to crack) and once installed, can operate pretty much without any consideration for years, regardless of changing and confused settings in your PC.
Zone Alarm tends to go out of its way with the free version to scare you, with various alerts about outgoing packets that are not usually any problem. This encourages you to buy their Pro version.