I have several Win7 Pro PC's in a Domain. The firewall service is currently DISABLED (under services) and I cannot ping or RDP to the PC. If I enable the firewall service, then turn OFF the firewall for the Domain in Firewall settings, I CAN ping and RDP to the PC. Now the weird part....if I again DISABLE the firewall service (in SERVICES), on some PC's I can ping and RDP and on other's I cannot. I can reboot ALL the PC's and the same ones let me in and the others don't. They are in the same OU and have all the same GP's applied. Unfortunately, the company that I am working on this has some sort of belief that they NEED the firewall service disabled to allow their apps to work correctly (they needed this for the XP PC's) I have tried to convince them otherwise, but they will not enable the service, then disable the firewall on the Domain side via GP. They stated they tested this and the apps did not work and their vendor recommended disabling the service. They are unwilling to change this policy. I need this to work as I am attempting to run Powershell scripts against the PC's and they are failing because they are being "blocked" by the PC. I am stuck here... Thanks, Tim

Hi Tim, Thanks for posting in TechNet forum. When you only stop the firewall service, it will cause the boot-time filters to load. The proper way to completely stop the firewall is by setting the service to disabled in Services Manager then stopping the service through one of the GUIs or Netsh. This behavior is by design. In Windows 7, you need to disable and stop the "Base Filtering Engine" service firstly. Only stop the firewall service will put you in block mode. It could be the resean why you cannot ping the PC. Microsoft doesn not recommend you stop the firewall service, only if you need to troubleshoot some issue. This behavior will increase the security risks. In addition, this blog would help you: Stopping the Windows Authenticating Firewall Service and the boot time policy http://blogs.technet.com/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx Regards, Miya TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I understand what you are saying....this client is OK with the reduction in security. I agree WHOLEHEARTILY that the BEST way to leave the service enabled, then control the profiles via GP (Domain, Public, etc) Thanks for your help.