Create a little subnet with all your different configs, identify what you need, and use active directory to modify those settings across the board..like I did..(and I have a 2000 domain!---((I imported the adm's))
The firewall enabled only SEEMS like overkill, in actuality, it has virtually destroyed the ability of most new virii and spyware/adware apps to communicate on my network of 8000+ pc's...therefore virtually eliminating the bandwidth issue, the propagation of new virri, or ones that seem to creep in on pc's with damaged antivirus installations, to name a couple of benefits...think about it....internal and external.
I did open up 6129 for dameware(our remote app) and a few more for what we need, but all other doors are CLOSED, thank god....its a pain to begin with, but its just another hole you can plug with a little work.
Note to all:
if you import those adms on a 2000 domain, you will be faced with some errors after importing and trying to modify policy, but they arent critical, and do not affect functionality, you can either wait on the next 2k service pack, or call microsoft for a fix....
I didnt bother calling...
I hear and I forget. I see and I remember. I do and I understand.
Confucius