| Note The Prohibit use of Internet Connection Firewall on your DNS domain network Group Policy setting can disable the Windows Firewall (the "Operational Mode" item in the netsh command display is set to "Disable") if you do not also set the Windows Firewall: Protect All Network Connections Group Policy setting to Enabled.
To determine whether program or port-based exceptions were obtained from local settings or from Group Policy, examine the "Program exceptions" and "Port exceptions" sections of the netsh firewall show state verbose=enable command display. These sections are tables containing the list of exceptions. For each table, there is a "Local policy" column. If the entry in the "Local policy" column for an exception is set to "Yes", the exception was configured through local policy settings. If it is set to "No", the exception was configured through Group Policy settings.
Here is an example of a portion of the "Port exceptions" section of the netsh firewall show state verbose=enable command display:
Port exceptions:
Port Protocol Local policy Mode Name / Service type
-------------------------------------------------------------------
137 UDP Yes Enable NetBIOS Name Service / File and Printer
Sharing
Scope: LocalSubNet
138 UDP Yes Enable NetBIOS Datagram Service / File and Prin
ter Sharing
Scope: LocalSubNet
139 TCP Yes Enable NetBIOS Session Service / File and Print
er Sharing
Scope: LocalSubNet
445 TCP Yes Enable SMB over TCP / File and Printer Sharing
Scope: LocalSubNet
3389 TCP No Enable Remote Desktop / Remote Desktop
Scope: *
In this example, all the port exceptions except for Remote Desktop were configured through local policy settings.
For a definitive list of Windows Firewall settings that are configured by Group Policy, use the Resultant Set of Policy (RSOP) snap-in. For more information, see Windows XP Help and Support.
| 