XP Firewall Controlled By Group Policy

[Guest]

I have XP SP2 loaded on computer that is within a 2003 Small Business Server
Domain.

BY DEFAULT XP will not allow me to turn OFF the new windows firewall.

The radio button that says "Off (Not Recommended)" is greyed out.

At the top of the Windows Firewall Dialog Box is the following Text.
"For your security, some settings are controlled by Group Policy"

I've created a test LAB and loaded XP and then took SP2 and this behavior
occurs evertime, regarless of whom I'm logged in as...I can be DOMAIN ADMIN
and it still occurs.

I know, I know...firewall on... good firewall off.... BAD

I still want it OFF. I don't want exceptions added. Ijust want it OFF!

I go to the Server and go to the Group Policy Editor and Edit the Internet
Connection Firewall GPO.

I go specifically to Computer Configuration/Administrative
Templates/Network/Network Connections/Windows Firewall:

Under Domain Profile and Standard Profile....I find NOTHING to disable the
new Windows Firewall...I'm able to add exceptions, but that's not what I
want. I want to allow the users to turn it OFF.

I've tried going to the local XP gpedit.msc and looking there for some why
to allow it, but can not locate a setting.

Many people have pointed me to a MS Article about how to configure the XP
firewall....it doesn't mention how to turn it off either that I can find.

Any help here?

 

[Guest]

Hi
Open the firewall policy in Group Policy

open the setting "Protect all network connections"

set this to Disable and the firewall is turned off on all connections

Michael

 

[Guest]

Where?
I am looking at the server under the domain, under the forest.
I don't see it.

 

[Torgeir Bakken \(MVP\)]

(snip)
I still want it OFF. I don't want exceptions added. Ijust want it OFF!

I go to the Server and go to the Group Policy Editor and Edit the Internet
Connection Firewall GPO.

I go specifically to Computer Configuration/Administrative
Templates/Network/Network Connections/Windows Firewall:

Under Domain Profile and Standard Profile....I find NOTHING to disable the
new Windows Firewall...I'm able to add exceptions, but that's not what I
want. I want to allow the users to turn it OFF.

Hi

From PolicySettings.xls available at
http://www.microsoft.com/downloads/...c0-19b9-4acc-b5be-9b7dab13108e&displaylang=en

for the "Windows Firewall: Protect all network connections" found
in the locations you have listed above:

<quote>
If you disable this policy setting, Windows Firewall does not run.
This is the only way to ensure that Windows Firewall does not run
and administrators who log on locally cannot start it.
</quote>


If you are thinking about just disabling the firewall just for
Domain Profile and not Standard Profile, yous should read and
look into the information below.

Note that is some cases the Standard Profile will be used even
if the computers are connected to the domain. This will happen
if last-received Group Policy update DNS name does not match any
of the connection-specific DNS suffixes of the currently connected
connections on the computer. In this case, the non-domain settings
will be used.

From
The Cable Guy - May 2004
Network Determination Behavior for Network-Related Group Policy Settings
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

<quote>
To apply this behavior to Windows Firewall settings:

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based (such as
an Ethernet or 802.11 wireless network adapter) matches the value
of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the domain profile.

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based does not
match the value of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the standard profile.


You can determine the connection-specific DNS suffixes of the
currently connected connections on the computer from the display
of the ipconfig command issued from a command prompt.

</quote>

Read the Cable Guy article for more about this.

 

[Guest]

Thanks~!

Hi

From PolicySettings.xls available at
http://www.microsoft.com/downloads/...c0-19b9-4acc-b5be-9b7dab13108e&displaylang=en

for the "Windows Firewall: Protect all network connections" found
in the locations you have listed above:

<quote>
If you disable this policy setting, Windows Firewall does not run.
This is the only way to ensure that Windows Firewall does not run
and administrators who log on locally cannot start it.
</quote>


If you are thinking about just disabling the firewall just for
Domain Profile and not Standard Profile, yous should read and
look into the information below.

Note that is some cases the Standard Profile will be used even
if the computers are connected to the domain. This will happen
if last-received Group Policy update DNS name does not match any
of the connection-specific DNS suffixes of the currently connected
connections on the computer. In this case, the non-domain settings
will be used.

From
The Cable Guy - May 2004
Network Determination Behavior for Network-Related Group Policy Settings
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

<quote>
To apply this behavior to Windows Firewall settings:

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based (such as
an Ethernet or 802.11 wireless network adapter) matches the value
of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the domain profile.

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based does not
match the value of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the standard profile.


You can determine the connection-specific DNS suffixes of the
currently connected connections on the computer from the display
of the ipconfig command issued from a command prompt.

</quote>

Read the Cable Guy article for more about this.



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx