By "server" I assume you mean the (a) Domain Controller.
Firewall settings in Group Policy Editor are in:
Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile
or
Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Standard Profile
If a GPO with any settings in the above applies to the computer account for
an XP SP2 computer, the state of the firewall is determined by the value of
"Windows Firewall: Protect all network connections":
"Enabled" - the firewall is On and can not be set to Off by local
Administrator action.
"Disabled" - the firewall is Off and can not be set to On by local
Administrator action.
"Not Configured" - a local administrator can turn the firewall On or Off,
but may or may not be able to change any settings when it is on, depending
on the values of other settings (e.g. if "Windows Firewall: Allow local
program exceptions" is Disabled, a local administrator can not add local
program exceptions)
You don't need to make any local policy changes on the XP SP2 computer for
this to work (I tested this today for one computer in a large Windows 2000
domain).
There can be multiple applicable GPOs that have firewall settings, so use
Resultant Set of Policies to see which GPO a particular setting is coming
from ("Windows Firewall: Protect all network connections"):.
The Resultant Set of Policies feature in the Group Policy Management Console
is very useful for this - it also reports the local policy settings that
apply (as well as settings from GPOs). See
http://www.microsoft.com/downloads/...24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en.
Use the "gpupdate /force" command on the XP SP2 computer to get Group Policy
related changes applied to the computer "immediately", rather than at the
next automatic update (if there are multiple Domain Controllers, you have to
wait for inter-DC replication to take place before running gpupdate will
have any affect).
Another alternative is to move the XP SP2 computer's account into an OU that
the GPO containing the Windows Firewall settings does not apply to; then the
firewall is completly under local administrators control.