I want to make sure that every computer on the domain has the Windows Firewall switched on and the user (even if logged in as Administrator) cannot switch this off.
I know how to do this locally on a per machine basis, but how would I do this on Windows Server 2003 to ensure that this applies to every computer?
Yes you can manage Windows Firewall through GPO.
I use GPO for my mixed 2k3 and 2k8 environment.
Can you lock out the local Admin? I don't think so. For that, you might need a centrally managed commercial firewall package. I know Symantec Endpoint Protection has this feature, for instance.
Like schroeder said, you can manage the Firewall settings by GPO udner:
Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security
These settings will however affect everyone that is logged on to the PC. Also administrators. When accessing the properties it will show you this (note the grayed Firewall state).
I wrote a blog about these settings that you can read in: http://zeda.nl/b21
I have used GPOs in Win2k3 and Win2k8 environment as well. Check out Microsoft's article on Deploying Windows Firewall Settings With Group Policy if you haven't already. Then run
gpupdateon the machines or wait for the settings to be pushed out.As for user rights, I recommend only giving the minimum needed for them to function. The users who demand more privileges but don't need them will figure a way around this security measure or just give up. I always say that it cannot be granted unless documented in writing to avoid legal issues later on for that user.