It's not a Norton issue. Any firewall worth their salt will report that. As well svchost.exe and System (pid 4)
Explorer is a user level process so practically any other project can inject into it and pretend it's explorer accessing the internet.
BHO's do this natively, since Explorer loads them into itself automatically.
Open Process Explorer, highlight Explorer.exe and hit Ctrl+L to bring up the lower pane view. Look for anything that is listed as Process or Thread. Some can obfuscate their origin as mutants, semaphores or show up as sections if they use IPC through named pipes.