There are 3 GPO’s that affect the firewall on client machines in an SBS 2008 domain.
Open the group policy management console on the SBS and edit each of the 3 following GPO’s, or the ones that match the types of client PC’s you have. They can be found under My Business | Computers | SBS Computers or under Group Policy Objects:
Windows SBS Client – Windows Vista Policy
Windows SBS Client – Windows XP Policy
Windows SBS Client
The item to edit is:
Computer Configuration | Policies | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile | Protect All Network connections
By default this is set to enabled. Setting to disabled will turn it off, setting to not configured allows administrators to enable or disable the firewall on the PC.
Note this only affects computers while connected to your domain. If you want to affect them while outside of your domain (not recommended) you also need to edit:
Computer Configuration | Policies | Administrative Templates | Network | Network Connections | Windows Firewall | Standard Profile | Protect All Network connections
There is another GPO: Computer Configuration | Policies | Administrative Templates | Network | Network Connections | Prohibit use of Internet Connection Firewall on your DNS domain network”, which can override the above. The default is set to not configured, but if has been changed to enabled or disabled it will force enabling or disabling of the firewall and administrators have no control. This should be left as “not configured”
Remember it can take up to 90 minutes for the policy to be applied to the workstations. You can force this almost immediately by running at a command line, on the workstation: