• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 372
  • Last Modified:

Group Policy Windows XP Firewall - Disable for Internal Networks Only?

Currently I have a group Policy for all machines: Domain Profile & Standard Profile where "Protect all network connections" = Disabled.  This is a quick basic GP to disable the firewall on all machines.

I would like to allow the firewall to Enable when the Laptops are out-side the office.

It appears I need to allow allow the firewall to come on under the Standard Profile.  Is this correct?

If so how do I define my local networks?  We have 4 sites and only 2 have DC's\Global Catalogs.

For Example where can I say that when on subnets: & & & the firewall is completely disabled?

I know this sounds simple, but since 2004 it appears firewall articles are junked up and I cannot find a simple and CONFIRMED explanation to this.

Please Help, Thanks
  • 2
2 Solutions
There are two sets of Windows Firewall settings to configure:

The domain profile settings that are used by the computers when they are connected to a network that contains domain controllers for the domain of which the computer is a member.

The standard profile settings that are used by the computers when they are connected to a network that does not contain domain controllers for the domain of which the computer is a member. I.E. @ Home, Outside the office.

If you do not configure standard profile settings, their default values are still applied. Therefore, it is highly recommended that you configure both domain and standard profile settings and that you enable the Windows Firewall for both profiles, except if you are already using a third-party host firewall product.

The standard profile settings are typically more restrictive that the domain profile because the standard profile settings do not need to include applications and services that are only used in a managed domain environment.

Both the domain profile and standard profile contain the same set of Windows Firewall settings.

Step 1: Updating Your Group Policy Objects With the New Windows Firewall Settings
To update your Group Policy objects with the new Windows Firewall settings using the Group Policy snap-in (provided with Windows XP), do the following:

Ensure Windows XP SP2 on a computer that is a member of the domain that contains the computer accounts of the other computers running Windows XP on which you plan to install Windows XP SP2.

Restart the computer and log on to the Windows XP with SP2-based computer as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

From the Windows XP desktop, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Available Standalone Snap-ins list, click Group Policy Object Editor, and then click Add.
In the Select Group Policy Object dialog box, click Browse.
In the Browse for a Group Policy Object, click the Group Policy object that you want to update with the new Windows Firewall settings. An example is shown in the following figure.
Click OK.
Click Finish to complete the Group Policy Wizard.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. An example is shown in the following figure.

Here is a good Microsoft link with a process flow.
NiceShotManAuthor Commented:
Are we seeing that a domain controller is required on each subnet that I would like the domain profile to apply?  If this is the case, how can we have those subnets not restrictive?
Yes with Windows XP they only offered the two profiles Standard & Domain.  In Vista and Windows 7 they offere the "Private" profile which would give you some more options.  This is all based on NLA Network Location Awareness see this link for detailed explanation http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx

You could set the standard profile settings to be the same as your domain profile settings and hence the domain firewall profile wout be applied all the time because the standard profile is applied by default when a DC is not present.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now