Re: Turning off Windows Firewall

From: Bruce Sanderson (Bruce.Sanderson_at_junk.junk)
Date: 11/03/04 

Date: Tue, 2 Nov 2004 15:35:45 -0800

By "server" I assume you mean the (a) Domain Controller.

Firewall settings in Group Policy Editor are in:

  Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile
or
  Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Standard Profile

If a GPO with any settings in the above applies to the computer account for
an XP SP2 computer, the state of the firewall is determined by the value of
"Windows Firewall: Protect all network connections":

  "Enabled" - the firewall is On and can not be set to Off by local
Administrator action.

  "Disabled" - the firewall is Off and can not be set to On by local
Administrator action.

  "Not Configured" - a local administrator can turn the firewall On or Off,
but may or may not be able to change any settings when it is on, depending
on the values of other settings (e.g. if "Windows Firewall: Allow local
program exceptions" is Disabled, a local administrator can not add local
program exceptions)

You don't need to make any local policy changes on the XP SP2 computer for
this to work (I tested this today for one computer in a large Windows 2000
domain).

There can be multiple applicable GPOs that have firewall settings, so use
Resultant Set of Policies to see which GPO a particular setting is coming
from ("Windows Firewall: Protect all network connections"):.

The Resultant Set of Policies feature in the Group Policy Management Console
is very useful for this - it also reports the local policy settings that
apply (as well as settings from GPOs). See
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en.

Use the "gpupdate /force" command on the XP SP2 computer to get Group Policy
related changes applied to the computer "immediately", rather than at the
next automatic update (if there are multiple Domain Controllers, you have to
wait for inter-DC replication to take place before running gpupdate will
have any affect).

Another alternative is to move the XP SP2 computer's account into an OU that
the GPO containing the Windows Firewall settings does not apply to; then the
firewall is completly under local administrators control. 

-- 
Bruce Sanderson MVP
It's perfectly useless to know the right answer to the wrong question.
"Terry" <Terry@discussions.microsoft.com> wrote in message 
news:9710A5BF-6D7F-4D7F-87D8-2B3A24155BD4@microsoft.com...
> Bruce....can you be a little more specific regarding which group policy
> settings need to be changed?  I'm in a similar predicament, with an XP-SP2
> workstation unable to turn off the firewall in either domain or standard
> mode.  I'm pretty sure I know where to look within Group Policy to effect 
> the
> changes (Administrative Templates-Network-Network Connections-Windows
> Firewall-Domain Profile), but I'm unsure where to proceed from there.  I
> haven't modified any of the current settings (they're all set to "Not
> configured"), which I thought would've allowed me the freedom to turn 
> on/off
> the firewall, but obviously it hasn't.  I'd also like to know whether I 
> need
> to make changes on the server only, or if I need to change any local 
> policy
> settings as well.
>
> Thanks,
> Terry
>
> "Bruce Sanderson" wrote:
>
>> Ask your Domain Administrator to move the computer's account into an OU 
>> to
>> which the Group Policy Object containing the Firewall setttings does not
>> apply.
>>
>> -- 
>> Bruce Sanderson MVP
>>
>> It's perfectly useless to know the right answer to the wrong question.
>>
>>
>> "Pierre" <me@internet.com> wrote in message
>> news:uR0H9eFwEHA.2600@TK2MSFTNGP09.phx.gbl...
>> > WinXPPro SP2 machine connected to Windows 2003 server.
>> >
>> > I don't have the option to turn of or off Windows Firewall.
>> > It's on, but i can't turn it off - the options are grayed out.
>> >
>> > It says the settings are managed by Group Policy.
>> >
>> > What settings do i have to change on the server then,
>> > in order to have the ability to turn off the firewall,
>> > at least on this one machine?
>> > (since there is a program running that seems to be incompatible with 
>> > the
>> > firewall).
>> >
>> >
>>
>>
>>

Relevant Pages

  • Re: File sharing
    ... When you run rsop.msc you will get a report screen showing Group Policy ... connections/Windows Firewall and what settings from what Group Policy. ... setting to accept connections on the local subnet plus connections from my ...
    (microsoft.public.windowsxp.security_admin)
  • Re: XP machine removed from domain still gets domain policy
    ... then turn off the firewall. ... Prohibit use of the Internet Connection Firewall on your DNS domain network? ... Firewall settings), the Firewall settings revert back to the default and ... the only Group Policy being applied is the "Local Group Policy" ...
    (microsoft.public.windows.group_policy)
  • Re: XP machine removed from domain still gets domain policy
    ... My test shows that when a computer is removed from a domain (that had a GPO setting the Firewall settings), the Firewall settings revert back to the default and local administrators can change the settings. ... the only Group Policy being applied is the "Local Group Policy" ...
    (microsoft.public.windows.group_policy)
  • Re: Network Services/NT Authority
    ... OK that is what I though in that you did not change any Group Policy ... settings but instead were managing the Windows Firewall settings and no you ... logon which is normal as your computer really is on a network - the ... ICMP and then the option to reset all the firewall ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ZA Conceptual Question
    ... > There is plenty you can do with the firewall settings. ... > Program controls will not by themselves control traffic to a server ... > port 80 for example you would have to use the firewall controls to ...
    (comp.security.firewalls)