It isnt a bad idea to run the software on top of using a router ( A SOHO router is a NAT box, but even with SPI it isn't truly a firewall (not a REAL good one anyway). NAT does have inbound firewalling properties, but it is NOT a firewall.
There is also a HUGE difference between running a software firewall on top of an OS ike ZA< Norton etc, and a dedicated hardwall firewall appliance ( a real one like a Netscreen, Sonicwall, Cisco PIX etc or even a software firewall imbeeded into the os like IPtables/chains, smoothwall etc.
ZA or another software firewall running on top of your OS can be shut down with a batch script from a trojan, virus etc. Try that with an embedded firewall on a hardened BSD box, or as part of the software running on a true,dedicated firewall appliance.