A GPE note. If you're creating a domain-based GPO to control Windows Firewall, you'll need to do a little preparation. Because the Windows Firewall policy settings are all new, your Windows Server 2003- or Windows 2000-based domain controller's (DC's) copies of GPE (gpedit.msc,) almost certainly won't display the Windows Firewall policy settings. (I say "almost certainly" because a Windows 2003 system that's running Windows 2003 SP1—which is supposed to ship some time this year—would have the settings. That service pack will modify Windows 2003's firewall in the same way that XP SP2 modifies XP's firewall.)
To create a domain-based GPO that includes the new Windows Firewall settings, load the Windows 2003 administration tools onto an XP box that has SP2 installed. Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (for a site policy, open the MMC Active Directory Sites and Services snap-in) at that XP system. You can then create or edit a GPO that includes the new policy settings.
Configuring mobile and domain profiles from the command line. Domain-based Windows Firewall policies are great, but users who aren't yet running AD are likely to turn to batch files for help. The mobile and domain profiles make Windows Firewall more attractive, but can you control them from the command line? The answer is yes—you can even set up mobile and domain profiles from the command line.
To control Windows Firewall's behavior in a particular profile, just add the profile= parameter to the Netsh Set Opmode command, followed by the keyword current, all, corporate, or other. The current keyword tells the system to make the change to the active profile. The all keyword means make this change to both profiles. Less obvious are the corporate keyword, which changes the domain profile, and the other keyword, which changes the mobile profile. (I sometimes get the idea that lots of people at Microsoft are working on Windows Firewall and that they don't all talk to one another.)
Suppose I want to use the command line to set up a system that turns off Windows Firewall while the system is connected to a domain and turns on the firewall otherwise. The following two commands accomplish that task:
netsh firewall ipv4 set opmode
mode=disable profile=corporate
netsh firewall ipv4 set opmode
mode=enable profile=other
Digging Deeper
Armed with these basics, you can get started using Windows Firewall's power. But let me stress two things. First, I don't recommend turning off the firewall in mobile mode. Second, I think that enabling the firewall isn't a bad idea even inside a domain.
We've just scratched the surface of Windows Firewall's abilities, and they really are worth understanding better. In an upcoming article, I'll dig deeper.