We got into this rather extensively in another thread
on BID, but it bears repeating here, since the specific subject is the value of BID as a firewall.
First, BlackICE Defender is NOT a firewall in the manner of ZA. It's an "Intrusion Detection System", which works on a different premise. The following web page describes this in detail. FAQ: Network Intrusion Detection Systems
The purpose of a firewall is to to act as a barrier between a computer and the outside world. This it does by blocking all ports (of which there are 65,536) not specifically approved for access. There are rules that can be set for how this can be accomplished, what restrictions are to be in place, and so on. However, it's primarily a gatekeeper that either allows access to a port or doesn't.
A firewall does not care what traffic flows through an approved port. It's assumed to be okay. And, as Code Red/Nimda demonstrated, an open port (80 in this case) CAN be used for mischief.
Unlike a firewall, an IDS is NOT trusting. ALL traffic is assumed to be hostile until determined to be okay. An IDS also has approved ports for allowing incoming and outgoing traffic, but it examines the "packets" of data as they arrive and leave to determine if patterns exist in them that indicate hostile intent. For example, "Trojans" such as Sub-Seven and Back Orifice have specific data patterns. An IDS has a catalog of these patterns and can recognize them "on the fly". These are stopped dead even on approved ports.
In brief, a firewall creates a fence around a computer, with a few gates that can be used to get in or out. It may or may not notify the user if something tries to get through the fence from inside, but that's a frill, since anything that shouldn't be allowed to get out shouldn't be in there. The firewall's gates don't check the nature of what passes through its gates.
An IDS creates a fence with gates, but at each gate there's a guard checking credentials to be certain that nothing dangerous gets through the gate either way.
BID does NOT notify the user of an attempt by a program to access the outside world via the Net or direct dial-up. That's not it's purpose. And, as noted earlier, if a program should not be given access to the outside world, why is it on the computer in the first place?
BID DOES, however, monitor outgoing packets for the data patterns that indicate Trojan-like activity, and deals with them if they are suspicious.
If the questionable value of knowing that such and such a program is trying to get out is of importance, go with ZA, but be aware that any file with the same filename is granted access automatically. There are viruses that create files such as iexplore.exe
in non-standard places, and do their evil deeds through the firewall, which has been told to accept traffic from iexplore.exe.
If having a system that looks for trouble, even through appoved ports, is of value, get BID. And, they can run together if the resource hit is acceptable.