Always one to toot my own horn, in this month's Redmond Magazine is a feature article by yours truly that attempts to show specific examples of how you can enable the Windows Firewall for clients in your domain -- and still feel good about doing it.

From the piece...

Some consider it one of Microsoft's greatest blunders. With the release of Windows XP Service Pack 2 (SP2), Microsoft made the conscious decision to turn on the Internet Connection Firewall (ICF) for all connections. Administrators not used to the idea of network security at the desktop scrambled to figure out what to do. Whether due to lack of time, planning or understanding of how that firewall actually worked, many elected to simply turn it off. In one fell swoop, Microsoft's decision put a black eye on the idea of host-based firewalls for a generation of systems administrators.

The problem with Microsoft's decision was not that forcing it on was a bad idea. In many ways, it wasn't. A fully developed, host-based firewall with centralized control is an excellent tool to help secure the otherwise unsecured insides of a corporate network. The problem was in getting it fully developed. Enabling it for computers attached to a domain required a Herculean effort of application testing and configuration tuning. Because of this concerning level of up-front work, the ICF in many environments went disabled with SP2. For many it remains that way today.

If you've been burned by the Windows Firewall, check out the article at this link. You might find that there's some potential there to maybe...even...turn...it...back...on...

Toot, toot!