I realise this topic is quite of date now, but I thought I would share my personal knowledge and expertise.
Firslty I would like to say that the built in XP firewall is good for controlling the applications that use your connection from your computer, but in terms of it's abilities to cope with any concerted effor to "hack" your computer, it isn't much good. It would keep a slightly less experienced "hacker" out for a little bit but not for ever, an experianced "hacker" would cut throught it like a knife through butter. The main reason for this is that it is based on Microsoft code that has inherant flaws.
With regards to the ZoneAlarm firewall it is quite good, and much better than the XP firewall, as you've said it does sometimes have issues with being a bit resource heavy but this is spasmodic and only evident on some systems suggesting that it is a system problem opposed to a software problem with ZA.
My personal recomendation in terms of firewalls would be the Sygate firewall that has already been recommended or the Tiny Personal Firewall (
www.tinysoftware.com), which although Tiny is reported to be very good and supposedly used internally by the American civil service which is possible good and possibly not depends on your views of the American's ;)
In terms of really good security I reccomend a hardware firewall, many are available cheaply, my personal favorite is Netgear (
www.netgear.com) which have a range of firewalls with built in broadband routers and LAN switches, some even have integrated wireless access points.
Once you've installed your firewall you can test it's security by going to
www.grc.com and using their "Shields Up" port scan, ideally all ports should report as being stealth if your firewall is doing it's job. GRC also have lots of security related information particularly for those of you who use Windows, especially XP which is not exactly the worlds most secure OS despite it's built in security features.
Hope this helps, oh and if your wondering how I know this, it is because I am currently doing a course at university on Cyber Terrorism, and I work in IT. So i'm not some crazy hacker guy