XP Firewall - replacing 'netfw.inf' on client machines.

[Barkley Bees]

A little background. We recently completed a migration to a new network and
domain (~1200 clients) and I need to deploy a firewall setting change to all
systems to reflect the scope change for some of the allowed applications
(for example, SMS Remote). All the clients that existed before the migration
have scopes that are no longer valid for the allowed applications. All
clients deployed after the migration are using a different image so their
scopes are set correctly.

Can anyone recommend the best route to remedy this? I don't believe Group
Policy is the right way as we are not looking to introduce new exceptions
but rather edit the existing ones on the older clients. I was thinking that
replacing the "netfw.inf" (with the desired settings) and running "netsh
firewall reset" would be the best route. After some thought though, I am
concerned as to what would happen to the exceptions that existed on some
clients that may not be included in the updated "netfw.inf" (ie:
applications that the users themselves have installed. Not all systems have
the same apps installed). Would they disappear? Thank you.

 

[Barkley Bees]

Just in follow up to myself. To avoid the problem I previously described
would it be best to do the registry edits directly instead of replacing the
"netfw.inf"? It would seem that replacing the "netfw.inf" would be "blanket
effect" replacing everything where as doing the desired registry edits for
the specific ports and allowed applications would seem the better route.

The question then becomes, if I went the registry edit route
(HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
.......) how would this best be done (logon script) and would the client PC
still be required to run "netsh firewall reset"? Appreciate any feedback or
advice.