Reading your earlier posts a little more closely, it seems that you have the firewall configured to ask you what to do. It’s recommended that you have it configured to automatically decide what to do. With your current configuration, there’s always a chance that one might inadvertently block an application through the alert. I’m not aware of any difference in the behavior with firewall alerts between a limited user and an administrator, but I’ll check and let you know. Also, just FYI, new rules are needed when the binaries are updated on a machine. For example, if Microsoft updates iexplore.exe via a patch (as they do quite often, most notably through their “Patch Tuesday” updates), you need new rules for this new version of the binary. With the automatic decision configuration, this is taken care of silently by the firewall engine itself, while it pops up an alert for the user if the configuration is otherwise.

Hi,

The behavior for guest accounts is actually correct. Guest accounts are not allowed to create firewall rules. This is for security reasons. This means:

- In "Automatically decide what to do" mode, if the firewall doesn't already have a rule to cover the application's traffic, it will be blocked silently

- In "Ask me what to do" mode, if the firewall doesn't already have a rule to cover the application's traffic, no alert will be prompted, and it will be blocked silently.

As Sunny mentioned above, if the application binary has changed (very possible through Windows Update), then the application rule is "out of date". When you launch iexplore.exe via your Guest account, it then fails to update the firewall rule because a Guest account is not allowed to. Unfortunately, if you do a lot of work in your Guest user account, then this behavior will occur everytime the iexplore.exe binary is updated. Each time this occurs, you have these options:

- If "Automatically decide what to do" is enabled: Log into your admin account, launch IE, and browse to any site.

- If "Ask me what to do" is enabled: Log into your admin account, launch IE, select "Allow Always" when the prompt comes up.

Any of the above actions should automatically update the rule matching the latest iexplore.exe binary. You should now be able to log back into your Guest account and use IE.

I also noticed you are receiving "Program Component Monitoring" prompts, the ones with only two options "Allow Always" and "Block Instance". This is an advanced feature which only allows two options and I would not recommend having it enabled for normal use.

I hope I've answered your all your questions.

Thank you,

Chester

Vista SP1 Business here

I would also like to see /noresult fixed too in NIS 2008.  It stopped working when NIS 2007 was released.