I have an XP SP2 client that was within an OU which had firewall
policies defined. Those policies enabled the firewall with a list of
allowed applications and ports. Now, I've moved this client to an OU
which has the firewall settings set to Not Configured. I also
manually deleted all exeptions from the list and confirmed that the
registry defines no AlowedApplications. I did all of this because I
wanted the user that uses this computer to have to reanswer all of the
"Keep Blocking" prompts so that I can create a new GPO of firewall
settings, updating the old one created by a predecessor. However,
even after the GPO is applied to this machine the old firewall
settings still are in effect.

I've read the Cable Guy article about how firewall profiles (Domain
vs. Standard) are selected. This machine has a static IP with a
manually entered DNS suffix. So, after the article I figured that
because the GPO connection matched my DNS suffix, it still applied
domain policies. To confirm this, I issued the netsh firewall show
state command, resulting in this:

Profile = Domain
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = None
Remote admin mode = Disable

So, the machine is still using the domain profile but theoretically
not using any settings because of the None setting in GP version.
However, while using the computer with an administrator account, I
still received no prompts to approve/deny applications. I
specifically ran applications that were explicitly defined as allowed
in the policy of the other OU. And the programs always ran and always
connected to the Internet, even though no exceptions are defined.

So, next I removed the DNS suffix and forced a GP update. The profile
switched the Standard, but the same behavior remains. The firewall is
enabled, with exceptions enabled, but no exceptions defined, yet any
application that runs has complete Internet access, just as if it was
still using the old domain policy it was assigned. The firewall log
shows all sorts of IP's and ports being allowed. Just for kicks I
disjoined the computer from the domain and rejoined, but that didn't
help either.

Any ideas?