Maybe like this:
  • via GPO, set the minimum you need to administrate a computer (protocols, ports, networks, etc...)
  • do not enable or restrict the use of firewall via GPO, just add the minimum of policies needed
  • during installation or imaging of computers, set the firewall on
  • a common user cannot switch his firewall on or off, so the firewall will stay on
  • during installation of software, the ports, protocols, programs, networks etc. needed can be added to the local firewall policy