Confession: Until last week, I had it switched off. It didn’t make a lot of difference but I should have been more careful. It was just that when I first switched it on, nothing worked and I didn’t understand how the Mac worked enough to fix it; then I forgot. It ought to be switched on by default then this wouldn’t happen.
Anyway, it is all actually quite straight forward. There are guides available to show you how to do it. The problem is that they are a bit too technical in language and also are not clear on how to decide what to put in the table of allowed programs. The answer is don’t put any in manually, let them ask you first and then decide if you want to allow it.
The sort of programs which will ask and need it are IM/VoIP (iChat, Adium, Skype) and Download/Upload services (µTorrent, iPlayer, CyberDuck). Your browser may also ask, it rather depends on what sites you go to. Some applications ask more than once but eventually they remember. The ones that don’t ask and shouldn’t need it are Mail/RSS/News (Thunderbird, iMail), Text (NeoOffice, TextWrangler, TextEdit, MS-Office) and (to my surprise) Virtual Machines (VMware Fusion, Crossover and probably Parallels). In any case, you ought to run a local firewall in virtual machines.