XP firewall turn off GP

[Guest]

I have a new SBS 2003 server. Apparenly there is a group policy that does not
allow my XP users to turn off their firewall. I have screwed around with
gpedit but can't seem to figure it out. Can someone please tell me how to set
it up so the user can turn it off as well as on?

 

[Florian Frommherz]

Howdy!

I have a new SBS 2003 server. Apparenly there is a group policy that does not
allow my XP users to turn off their firewall. I have screwed around with
gpedit but can't seem to figure it out. Can someone please tell me how to set
it up so the user can turn it off as well as on?

Well your users will need to have administrator privileges to turn
on/off the firewall - I assume that you know that ( - I do also assume
that you know, that running users with local admin accounts on the
workstation isn't either).

You could check if the following policy is set to "Enable". If so, turn
it back to "Not Configured":

"CompConf\Adm Templ\Network\Network Connections\Windows Firewall\Domain
Profile\" - "Windows Firewall: Protect all network connections".

cheers,

Florian

 

[Steven L Umbach]

Well the user needs to be a local administrator which in most cases is not
desirable as they can then do things like create a user account to logon to
and bypass Group Policy user configuration, disable applications, install
kazaa, etc. But to answer your question go to the controlling Group Policy
for "computer configuration"/administrative templates/network/network
connections/Windows firewall and set prohibit use of Internet Connection
Firewall to not configured or disabled. There are other settings you can
review in the domain and standard profile depending on what you want to
manage and be sure to read the full explanation of each settings. If you are
not sure of the controlling Group Policy run rsop.msc on one of the
computers and you should see the settings applied I mentioned and it will
show what Group Policy is applying the setting. I would suggest however that
you manage the Windows Firewall to have the most security advantage for your
domain which you should be able to do with all the various settings in
domain and standard profile. I would feel very uncomfortable letting users
disable the Windows Firewall but that is your call. --- Steve

 

[Guest]

Thanks to both replies.
This is a very small office of only 5 people. Everyone is a admin
of there local machine already. Next time I go there I will check this out.
Thanks
Clayton

 

[Guest]

Okay,
I checked the GP setting it it says "Not Configured"
any other ideas?
I am doing this remotely so I can't run the rsop yet.

 

[Steven L Umbach]

Also take a look at the setting in the domain and standard profile for
"protect all network connections" an make sure that is set to not
configured. Just checking in local Group Policy is not good enough as you
need to run rsop.msc to see if that setting is enabled or disabled via some
Group Policy and again be sure to read the full description of the Group
Policy settings. I am assuming here your XP computers are running Service
Pack 2. You should be able to run rsop.msc in the run box on the remote
computer if you can access via Remote Desktop or via the domain controller
via the mmc snapin for Resultant Set of Policy if you are accessing the
domain controller remotely ideally in logging mode but even planning mode
can help determine which Group Policy is applying a setting. --- Steve