Is this working as designed:?

Take an XP workstation with nothing on it (other than support packs)

Do a start -> Run -> gpedit.msc

Go into Local Computer Policy -> Computer Configuration ->
Administrative Templates -> Network -> Network Connections -> Windows
Firewall -> Domain Profile

Disable the Firewall

Save, exit, reboot.

Go back into GPEDIT.MSC. Verify that the setting is still "disabled"
for the firewall. (also check control panel -Windows Firewall to make
sure it's disabled).

Now, go into GPEDIT and Re-enable it. REboot. Verify it's still
enabled. It is.

Go into GPEDIT and Disable it one more time (reboot to verify it's

Now, Install Novell 4.91 client on it and the ZEN 6.5 SP1b agent

Login. NO ZEN GPO policies are being applied or associated to the user
OR the workstation object. There is a ZEN Workstation policy that does
Remote Control and Inventory, but that's it. NO ZEN User policy
associated to the user.

Firewall still disabled.

Now, take a ZEN 7 User package that does JUST a GPO that ENABLES the
firewall and allows ICMP Exception. (in the Domain Profile)

Associate to the user.

Reboot, let policy kick in and verify that firewall is now enabled and
you can ping.

Now, remove the ZEN 7 user policy association from your user.

Wait a few minutes, reboot pc. Check the "scheduler" icon on the system
tray to verify that the ONLY policy being applied is the
"remote/inventory" one (in our case).

Fire up GPEDIT. Check the Firewall stuff. It should now say "not
configured". It does.

This is where it now gets weird:

DISABLE the Firewall. Save. Reboot.

Go back into GPEDIT. The firewall setting now shows: NOT CONFIGURED

It's almost like once you deploy a ZEN GPO, that you can never ever edit
the workstation's policy via GPEDIT.

I've duplicated this on several pc's at this point.

Now, I'm not sure if it's working as designed though.

ZEN 6.5 SP1b agent, with ZEN 7 on the back-end. User Policy is set for
GPO and the first two checkboxes are set (computer and user) and we set
it to Cache User Configuration, but NOT remain in effect on logout.