Using the GUI
The XP GUI has changed a bit since its pre-SP2 days, at least insofar as Windows Firewall is concerned. Depending on how your GUI is set up, when you click Start, Control Panel, you should see a category named either Network Connections or Network and Internet Connections. If you see the Network Connections category, you might see in the left pane a Network Tasks section that contains a Configure Internet Connection Firewall link. If so, click that link. If you see instead a Local Area Connection link (referring to a wired Ethernet adapter) or a Wireless Network Connection link, right-click that link, choose Properties, click the Advanced tab, then click Settings. If you have a Network and Internet Connections category instead of a Network Connections category in Control Panel, click that category, then, under Pick a task in the left pane, click Configure your firewall.
Regardless of which route you take, you should see an Internet Connection Firewall Properties page. (The final SP2 code might call the page Windows Firewall Properties.) The page has tabs named General, Exceptions, Network Connections, Log Settings, and ICMP. The General tab offers three radio buttons: On (recommended), On with no exceptions, and Off. Click Off, click OK, then close Control Panel, and Windows Firewall will be disabled.
Using the Command Line
You might prefer to disable Windows Firewall from the command line if you're a command-line junkie like me or if you want to change Windows Firewall settings en masse and can't use Group Policy, perhaps because you don't yet use AD. With SP2, the already powerful Netsh command gains a new set of options for controlling Windows Firewall. You can shut off Windows Firewall altogether by opening a command prompt and typing
netsh firewall ipv4 set opmode
mode=disable
This command turns off the firewall on any and all NICs on your system.
But suppose you don't want to turn off Windows Firewall on all your NICs. For example, suppose you like the idea of enabling the firewall on your wireless NIC and want to disable it only on your Ethernet card. You can use the Netsh Set Opmode command with the interface=name parameter. If your system's wireless card is named wireless network connection and its Ethernet card is called local area connection, you can use the following commands to turn Windows Firewall on for the wireless card and turn it off for the Ethernet card:
netsh firewall ipv4
set opmode mode=enable
interface="wireless network
connection"
netsh firewall ipv4 set opmode
mode=disable interface="local
area connection"
Veteran Netsh users will note that unlike other Netsh parameters, the interface=name parameter requires you to fully name the interface. If the interface=name parameter worked like other Netsh parameters, interface=w would be sufficient to differentiate the wireless network connection interface from the local area connection interface. But at least in the SP2 beta that I worked from while I was writing this article, you must type the complete interface name.
Using Group Policy
In addition to the GUI and the command-line interface, XP SP2 lets you disable Windows Firewall from Group Policy Editor (GPE) as either a local or a domain policy. You've always been able to turn off the firewall from a Group Policy Object (GPO), but the ability was very limited—turning off the firewall was about all you could do. SP2 provides an entirely new category (i.e., folder) of GPOs to control Windows Firewall.
In GPE, navigate to Computer Configuration, Administrative Templates, Network, Network Connections, Internet Connection Firewall, as Figure 1 shows. Inside the Internet Connection Firewall folder are two more folders: Domain Profile and Mobile Profile. This notion of Windows Firewall's two profiles is important, so let's sidetrack and consider it.
Two Windows Firewall profiles. Microsoft recognized that many people wouldn't want to enable Windows Firewall on systems inside the network but that they might want to enable Windows Firewall when those systems were outside the network. Consequently, Microsoft made the firewall smart enough to determine whether the machine is logged on to a domain. When it is, Windows Firewall follows the instructions in the Domain Profile folder. But when the machine isn't logged on to a domain (note that Windows Firewall determines whether the machine, not the user, is logged on to a domain), Windows Firewall looks to the Mobile Profile folder for its marching orders.
As I mentioned, SP2 Group Policy represents these two sets of policy settings as folders, or categories in Group Policy-speak. Each folder contains the same nine policy settings, one of which is called Operational Mode. You can disable Windows Firewall through the Operational Mode setting. To turn off Windows Firewall, change the setting to Disabled and apply the policy.
Operational Mode has two other possible states: Enabled and Shielded. The Enabled state turns on the firewall and lets you open any ports that you need to. If you might want to turn on Windows Firewall when your machine isn't attached to your domain, set the Domain Profile folder's Operational Mode to Disabled and set the Mobile Profile folder's Operational Mode to Enabled.
The Shielded state turns on the firewall and ignores requests to open incoming ports. The idea behind this setting is that if a worm were attacking your network, you could enable Shielded mode, shutting out all unsolicited incoming data and rendering the worm incapable of infecting your systems.
Register
