Group Policy Windows XP Firewall - Disable for Internal Networks Only?

Currently I have a group Policy for all machines: Domain Profile & Standard Profile where "Protect all network connections" = Disabled.  This is a quick basic GP to disable the firewall on all machines.

I would like to allow the firewall to Enable when the Laptops are out-side the office.

It appears I need to allow allow the firewall to come on under the Standard Profile.  Is this correct?

If so how do I define my local networks?  We have 4 sites and only 2 have DC's\Global Catalogs.

For Example where can I say that when on subnets: & & & the firewall is completely disabled?

I know this sounds simple, but since 2004 it appears firewall articles are junked up and I cannot find a simple and CONFIRMED explanation to this.

Please Help, Thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There are two sets of Windows Firewall settings to configure:

The domain profile settings that are used by the computers when they are connected to a network that contains domain controllers for the domain of which the computer is a member.

The standard profile settings that are used by the computers when they are connected to a network that does not contain domain controllers for the domain of which the computer is a member. I.E. @ Home, Outside the office.

If you do not configure standard profile settings, their default values are still applied. Therefore, it is highly recommended that you configure both domain and standard profile settings and that you enable the Windows Firewall for both profiles, except if you are already using a third-party host firewall product.

The standard profile settings are typically more restrictive that the domain profile because the standard profile settings do not need to include applications and services that are only used in a managed domain environment.

Both the domain profile and standard profile contain the same set of Windows Firewall settings.

Step 1: Updating Your Group Policy Objects With the New Windows Firewall Settings
To update your Group Policy objects with the new Windows Firewall settings using the Group Policy snap-in (provided with Windows XP), do the following:

Ensure Windows XP SP2 on a computer that is a member of the domain that contains the computer accounts of the other computers running Windows XP on which you plan to install Windows XP SP2.

Restart the computer and log on to the Windows XP with SP2-based computer as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

From the Windows XP desktop, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Available Standalone Snap-ins list, click Group Policy Object Editor, and then click Add.
In the Select Group Policy Object dialog box, click Browse.
In the Browse for a Group Policy Object, click the Group Policy object that you want to update with the new Windows Firewall settings. An example is shown in the following figure.
Click OK.
Click Finish to complete the Group Policy Wizard.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. An example is shown in the following figure.

Here is a good Microsoft link with a process flow.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NiceShotManAuthor Commented:
Are we seeing that a domain controller is required on each subnet that I would like the domain profile to apply?  If this is the case, how can we have those subnets not restrictive?
Yes with Windows XP they only offered the two profiles Standard & Domain.  In Vista and Windows 7 they offere the "Private" profile which would give you some more options.  This is all based on NLA Network Location Awareness see this link for detailed explanation

You could set the standard profile settings to be the same as your domain profile settings and hence the domain firewall profile wout be applied all the time because the standard profile is applied by default when a DC is not present.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.