One difficulty with this is if you have laptop users, particularly if they have WLAN cards, then they may take their machines out to various other sites.

There having the firewall disabled is much less of a good idea.

Then they'll bring all sorts of nasties back in with them when they return. I wonder if there's a recipe which can make it turn off only when logged on to your nice safe lan?

Slarty
Fortunatly we don't have "take home" laptops (except for mine...but my firewall/router at home is configured quite well)

I'm on it right now, thumbing through Tim hill's NT shell scripting book. I know some people that can make some very robust hardcore batch scripts. Since the firewall is a NT native .exe it shouldn't be that difficult. I'll be back with something.
I'm really looking forward to your response...