So, for those who’ve been demanding that Microsoft offer a fully functional two-way firewall, your request has been granted. In articles about the December CTP Build 5270, I’ve seen vague references to this new feature, but to my knowledge no one has yet published any details. So consider this a scoop.
After installing Windows Vista Build 5270 and examining all security options in Control Panel, you might conclude that the Windows Firewall hasn’t changed at all. To get to the more powerful functionality, the bare-bones Control Panel applet won’t do; you need to create a custom Microsoft Management Console (mmc.exe); load the Windows Firewall with Advanced Security snap-in; and point it at your local computer. When you do, you see a well-organized interface for controlling all firewall settings. Here’s a snippet:
Two things jump right out at you: First, you get separate firewall profiles, depending on whether or not your computer is connected to a domain. Second, outbound connections are allowed by default in both profiles. To change these settings, click the Windows Firewall Properties link. That opens this dialog box:
With one mouse click, as I’ve shown here, you can instantly block all outgoing connections except those you define as exceptions. That list of exceptions appears in the Windows Firewall with Advanced Security console. In a default installation, several dozen exceptions are defined but not enabled. After turning on the Block option for outbound connections, you can go through and enable the exceptions you want and define custom connections as well, with an excruciating level of detail. (In managed environments, you’ll be able to automate all these settings through Group Policy or using the netsh advfirewall from a command prompt.)
The documentation for these new firewall features is sparse at this point. The MMC console contains a half-dozen links that point to non-existent help topics and white papers. I’m betting that a few interface tweaks are yet to come, including a notification feature that allows you to see when an application tries to make an unsolicited outbound connection so you can approve it on the fly. For now, I can confirm that the outbound blocking works very well indeed. After enabling this feature, not a single program I tested, including Internet Explorer, was able to connect to any computer on the local network or on the Internet until an exception was defined.
Of course, we’ll be digging deep into this feature in Windows Vista Inside Out, and I’ll add more details after I receive the next CTP build, due around the end of this month.
Ed Bott 
It was about time. 3rd party firewalls are much complicated for the average user to manage and they also (together with the antivirus suite)drain the PC’s resources…
George from Greece
You get both Domain & a “not-connected-to-domain” firewall settings now. Just check out the Windows Firewall GPO. Admittedly it doesn’t show up on the machine, which is kinda neat. 🙂
This might be the feature that gets people to upgrade.
But have they fixed the performance problems? The current firewall in XP SP2 slows down copies to and from file shares horribly.
I’ve never seen any performance hit in file copies from Windows Firewall. Do you have a link that establishes that this is a known problem?
There’s also a pretty detailed write-up about the firewall here on TechNet:
http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx
Blocking outbound traffic is a BAD thing. It means something malicious has already got onto your system. The good security policy is to not get it there in the 1st place.
A outgoing firewall is like locking the stable door, after the horse has bolted. Having malicious software on your system may do other damage, other than sending out data…
Just like it’s always best that viruses don’t get on your system to begin with, but the AV software is there just in case… Sh!t happens.
There are other good reasons to block outbound traffic too.
For one, say your an admin at a company and you want to stop your users from being able to use non company approved email programs (yes, there are other ways to accomplish this, but security is always best in layers).
Or, you have kids who have been grounded from IM’ing their friends. The outbound firewall can be enabled to make sure they’re abiding by the restriction while they work on their homework (type up their report or whatnot).
I have tried Vista Business edition. Loved the firewall, which was preconfigured using a script included by dell.
Because of needed compatibility refinements for some XP series applications carried over, I reverted to XP but now with them resolved, I am going back to Vista. I say ‘Beware” to advanced users though. I have found that the “utility partitions” dell included on the main drive of my RAID array, I had to remove akll of my old partitions then reinstate the configuration i required, using Vistas disk manager, as the type of NTFS structuring has changed from XP to Vista.