Is there a way using group policy (or some other built in mechanism) to apply firewall rules in such a way that a subset of the rules are locked and cannot be changed or overridden, but another subset can? For example I want to lock down the Core networking rules and/or File Sharing rules so that local admins cannot change them, BUT, they can add rules to open up ports for SQL, IIS, etc...
I know with group policy you can have it not merge rules, but that is more of a hammer like approach. I would need something more granular.
Can this be done with built in tools? Or would we need a 3rd party managed firewall application of some sort?
