Well, ZoneAlarm is pretty bad about reporting/blocking things it shouldn't (like return traffic if you have a very high latency connection, or leave stuff open/connected a long time). There are a few questions you should ask yourself:

1) Was I connected to the supposed attacker at any time for any reason (hard to say, but for example, pop up web adds, you might not realize you went to that site). Look at the source port of the attacker, look at the destination. If on your side (destination port), it is a very high numbered/random port, but on the source side, it is very low (less than 1024, a perfect example being 80), chances are high that it is in all liklihood, legitimate traffic (a response to something you requested). FTP is notorious for looking like an attack when it is really the server just opening up a data channel to send the file back to your client.

2) What port was accessed? 137? 80, 25, 23, ? 31337 ? Is it a known port for a web server or some trojan ? It could be someone just doing a scan, or it could be more, hard to tell if you don't have an IDS.

3) Get something like agnitum outpost that has a built in IDS function that would help you figure this out a little bit better (and IMHO give you more control and information than zonealarm (and hence it is a little harder to setup). There are other firewalls out there that give you the same thing (The one that PGP had was one) and there are probably other programs out there that have IDS functionaility (although not sure how well that would interact with your firewall).

Biggest thing is focus on the port (source and destination) ...

Hope that helps,

/nebulus