Ran a quick scan with RootAlyzer then decided to run a deep scan. In the middle of (or rather, a while after starting the scan) ZoneAlarm popped up a warning that RootAlyzer.exe was attempting to accesss the internet.

It shouldn't be doing that, should it?

No, it surely should not!
Unless you open the About dialog and press the Update button of course, in which case it'll download a file of a few bytes of size. That file will be downloaded from http://www.safer-networking.org/updates/rootalyzer.ini.

Did ZoneAlarm tell you which site it tried to connect to?

Nope didn't hit the update and no destination IP address listed in the ZA log. I denied access when it popped up.

This has been happening with other apps including a screensaver. Randomly popping up the ZA alerter with a request for net access. Windows is up to date. Updated and run AVG AV, SpyBot and AdAware none of them have found anything other than some cookies.

Addendum - Even Windows Defender came up blank

That's kind of spooky. You could try a tool like ActivePorts (http://www.devicelock.com/freeware.html) (or inside Spybot-S&D, Tools, Process List, the tab named Open Network Ports at the bottom, which does the same), to check which ports are opened in which application.

In theory, malware could easily inject a single thread into a different application to use that context for communicating with the outside. That's not an easy thing to code though, so quite rare.

If ZA shows no IP, did it open a port in "listen" mode maybe (trying to act as a server)? The above (ActivePorts or Spybot-S&D) would show that, and if not, possibly an IP or domain name which might help in finding out more (if something actually would go to the length of implementing such a method, it would be quite well hidden otherwise). Unless it's all a bug in ZA of course, haven't used that in a while and can't say anything about it, just mentioned to avoid imagining too many things on the possible rootkit side ;)