Disable Windows XP Internet Connection Firewall Remotely

isnt the whole point of a firewall to prevent something like this?

i heard in xp service pack 2 it automatically turns your firewall on

It does actually, but you can turn the firewall off if you use a wireless network, that is, you're not really connecting to the computer using the internet, but more rather a local (in the building) wireless network.
It should allow this because since the connection is coming through the trusted local wireless port and not the web.

Or a simple solution would be keeping the firewall off and using a commercial firewall.
They have more configs. Just set the firewall to accept connections from your wireless device so that you can turn it off.

Install the 2003 Administration Tools on an XP box.  From that box, if you configure your GPO, you'll see the Firewall Settings, where you can force the firewall to off and not allow it to turn on, set the default to off and let people turn it on, or just have your setting ignored.

No, i still reccomend a commercial firewall, but you can download a FREE ultra configuable (for your switch-off needs) firewall.
Go to: http://www.download.com/ZoneAlarm/3000-2092-10306241.html?tag=list (it's zone alarm)
In fact this gives MORE configuration than GPO and its EASY!

billyea, what do you mean, "No"?  I think gbarrientos was looking for a way to globally disable MS's FW.  That's how I've done is succesfully here.

If you are eluding to running without a FW, I would agree with you, that it isn't recommended.  We use ISS' Realsecure here for our laptops, which is deployed and configured centrally.  Also has a neat tool that lets me monitor events on all of the workstations.  Not free though.

Well our company does have a firewall. We use PIX between our router and the "outside world" salong with other hardware to stop things like virus and worms. So in this case there is no need for each computer to have an individual firewall.  

robrandon can i use the 2003 admin tools on a windows xp box to configure my domain policy? If so is there any issues that i should worry about....or keep an eye out for?

Or should i go ahead and purchase a license for Windows Server 2003 and configure the changes there?

If he has a router firewall then he shouldn't be worred about this question at all, since you wont need a firewall on each computer

Yes i have hardware firewall...but my question is how to DISABLE the firewall of my clients so that I, as an Domain Administrator, can freely access files on my cliets computers.

Thanx robrandon and  billyea i will try this out in my test lab and will post results.

You're welcome.

FYI, the setting can be found at:

Computer Configuration\Administrative Templates\Network\Network Connections

robrandon,
I can’t seem to find the setting that you are talking about. Is there a need for a Windows 2003 serer to be in place to do this? I am using a Windows Xp Pro Computer with admin pack installed and I don’t see the setting that you are talking about.
I am looking at Computer Configuration>Admin Templates>Network>Network and Dial up Connections and the only thing I see there is the Prohibit configurations of connection sharing.

billyea,
Do you know what the script will do on a domain with both Windows 2000 and Windows XP systems? Will there be some type of error.  And does the script need to be ran under a user with Admin Rights?

Probably with admin rights.
To be safe, make a system restore before executing the script. Currently, windows doesn't allow the script to be run remotely (as that would defeat the purpose of a firewall and hackers would come in). If you do find a way to run it remotely, you're on the right track.

This info is correct though. It simply creates a new object for the firewall and then turns that object off, nothing harmful, although you might need a Visual Basic technician to check it out.

billyea
I will have our programmer check it out.

However...i would prefer to use Group Policies to change this feature....

gbarrientos,
Under Network, the subfolders I have are DNS Client, Offline Files, Network Connections, QoS Packet Scheduler, and SNMP.  I'm using Windows XP with Service Pack 1.   No need for a 2003 server on the network.  

Did you load up the 2003 admin tools or the 2000 admin tools?

Yeah, I think you have the 2000 tools loaded, because I see Network and Dial-up Connections when I check the Policy on my 2000 Server.

If you load up the 2003 Tools you should be fine to do this in GP.

http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en

robrandon,
I see the problem...i am editing the existing policy already on the server. However when i created a new policy i see all the options you described above. Now my next question, and im not sure if this should be another post, is there a way to import the settings from the existing Default Domain Policy into a new policy which supports XP functions?

No idea on that one.  I wonder if it can't be the default domain policy at all because it is a 2000 domain.  But I'm really not sure of that, or if you can copy settings from one policy to another.  Sorry.

You can launch the script remotely with the "at" command.  

at \\machine_name 12:00PM cmd /c "c:\scripts\nofirewall.vbs"

or at /? at a command prompt for more options.

NV

NoahVail can you e-mail me that nofirewall.vbs script.  Thank you.

I don't have your email address.  Anyway it's the script that's posted above.

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy.FirewallEnabled = FALSE

The soon command is better than the at command because you aren't dependant on the clock of the remote machine being accurate.

Microsoft posts info and a download link for soon.exe here.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/soon-o.asp

NV