I'm assuming professional hardware firewalls aren't common for home use, so in the ICS method, I have 1 pc connected to the router connected to the cable modem, then have the rest of the computers connected to the host pc using a wired hub?
Tenants of this method use an old computer, “head of network”, whose only function is to be the host.
If using this particular computer for common use, you expose it itself to the same LAN turnabouts.
If using such a method, you should not use a hub (passively dispatching all the data over the whole network) but a switch (actively forwarding the data to the computer asking for it); an old modem-router, if you have one from a former ISP, also does the job.
If I choose to remain with my current setup instead, when you said it's very difficult to protect, are you saying that I'm not secure enough even with my router's firewall, Comodo firewall, and antivirus?
No, one must not be paranoid: it shall only mean that you probably won't be able to totally keep "internet" to access not your LAN computer themselves, but the WAN side of your router, and that you must edit redundant Comodo rules for each LAN computer.
I don't know how to do it with Comodo, i came back to it recently, but to avoid tedious rewriting, the best way is to make the rules for one LAN computer, and the export them and import them to the next, only having then to change, say, specific rules for 192.168.1.2 by 192.168.1.3.
By "if not", you mean that if I don't do either the ICS or professional hardware firewall, correct?
Yes
What are security requests and tests?
You might fail when making online security tests (grc, sdv, pcflank, comodo...), because these tests shall evaluate not your LAN computers, but the WAN side of your router.
The same goes of course not with security tests, but with real internet requests, legit or not.
One way to temporarily overcome this behavior is to set the router as DMZ to one of your LAN computers, say 192.168.1.2, then testing the said computer protected by Comodo, and not the router itself.
What are windows services and shares?
Somehow long to write on a forum.
Take a look, e.g., at http://www.blackviper.com/ to see what windows services, automatically enabled by windows in your back, should or not be allowed.
Take also care, if XP and upper, to disable remote assistance.
And I thought the goal was to allow the LAN computers (the ones of the form 192.168.1.n) to access each other internally? Why deny?
It depends if you wish each LAN computer to access each other, or only the router; in whatever eventuality, you generally don't want to be alerted, and either need to write a deny or allow LAN rule, but in every circumstance without logging.
So you're saying that Comodo will now allow every connection whose source and destination IP's are both of the form 192.168.1.n, but block connections whose source or destination is not of this form? (like 239.255.255.250, for example)
If you make a LAN rule allowing 192.168.1.n, any request to a LAN ip coming from outside of the LAN, including 239.255.255.250, shall either be asked or denied depending of how you answer to this request.
But 239.255.255.250 is not the best example, as this virtual ip is related (port 1900) to windows network discovery via Upnp/ssdp: you might need this authorization to fully access your hardware (printers...) inside your LAN, while you can deny it for WAN.
In the same way, you could throw yourself out of internet if not allowing svchost for bootstrap (udp out, 255.255.255.255, ports 67 and 68).