If you have a good router, then it most likely has a good built-in firewall. Usually most people do not need a software firewall. A good updated antivirus/antispyware program and smart web browsing habits are usually good enough to stay malware-free.

ZoneAlarm is pretty much obsolete and so are most third-party antivirus solutions for small-business or home users.  Windows has a built-in firewall that can be configured and Microsoft Security Essentials is all you should be using now-a-days.

A firewall should be on a dedicated security device before or at the router itself.  Basically, you block all incoming traffic from entering your network (*Exceptions might include PING and ports for VPN or DHCP if needed) and only allow connections originating from the inside from coming back in; this is called stateful pack inspection. 

A virus is executed from an already compromised host inside your network, so a firewall cannot stop its communication with the outside world because it only blocks traffic on the outside.  You could block additional traffic from reaching the outside (internet) by manually creating access control lists to only allow certain IP addresses and or ports from reaching the internet, but this too is a shot in the dark since you still need to leave ports 80 and 443 open anyway.

In short, once a computer is infected it is already too late, the malicious program will most likely use ports 80 and 443 to communicate back home while your firewall remains completely unaware.