Thanks for the replies!! I had gone through the same documents but came up with some other problems; When I expand out WindowsXP-KB835935-SP2-ENU.exe I get two netfw.in_ files. They are in i386\ip and i386\ic, not sure which one would be the one to use. Both files look like; MSCF ® , F ¸ 1!± netfw.inf hJÅF`¸[€€? ‚+ 4" `ofATH÷ Åë$O¶ËY†tH–(æ@*ïíàÛjwï§ÿý” š :Bb\â‰KaìÄ‚N¸-‘$”JMÿ‚ÿÿÿÿ ÿ @ ? ,……ðø¯ÿ¿Ëü€7xTÛ´·îé«$Bˆ…WL ëKM:õèJ-± ‰>Áê?ñÇ'5â²9Ídeß[¦Ìàkb’ˆ5f—bÙêBK%*4¨nL¹?¥Bl*,ú¹:åŒkÎ΀º&5›(~Ýõu¨ÜœkõaMÇÞrlzÖB”• ƒÒC" C±·ã Úîe:–6jì¼|Ý~E?@if3žúúúJ ÷ÂêbÔØ]ýnú}«ˆãÖUC–:ÝÇ_æ°Ö1ãaå@õóþy¿?Yp!<ݳ¹Ÿ<ä^§`òP…1¶LæM„mÝ5²ÇÆ]ø&?Ì{ð?8 According to the MS documentation these files should be readable. And I should be able to update the files, rename them to netfw.ini and then the settings will take. My understanding, though, is that netfw should be included, like the unattend.txt file, with a full OS, windows XP (SP2), install not just the SP2 upgrade. I guess I was assuming that since MS was forcing this update on us, they would give us the ability to configure it the way we want.... Stupid me! Either way, it looks like I am stuck. FYI. In order to get around this, we are just running a registry hack that adds the exceptions we want. Real easy, just import a .reg file to the registry with; [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "135:TCP"="135:TCP:192.168.5.0/255.255.255.255:Enabled:Port 135" Change the key to StandardProfile\GloballyOpenPorts\List for non AD domain desktops. The syntax is "<Port>:<UDP/TCP>"="<Port:<TCP/UDP:<IP Address>/<Subnet>:<Enabled/Disabled>:<Common Name>" Port is the port you want to allow through, address/subnet is the address of the remote machine that you want to allow through and common name is whatever you want to label this exception. Same thing as netfw.in_, just a little less automated.