I used to run Windows XP with "IP Security Policies", and I could open web pages without any problem. Now I upgrade to Windows 7 and use same settings in "IP Security Policies". The problem is it takes a long time to open a simple web page. If I disable "IP Security Policies", the pages will be displayed very fast. I don't know why. (Such as http://www.google.com or http://www.microsoft.com) I guess there is a new feature in "IP Security Policies", is't it? or I missed something? The following are filters and actions settings in Policies: 1. All ip and all ports --> Deny 2. My ip to all ip (from all to port TCP 80 and TCP 443) --> Allow (mirrored) 3. My ip to DNS server (from all to port UDP 53) --> Allow (mirrored) Best Regards

I recreated the setup you described per your specifics, and I found web page display to be blocked entirely. Notably I see my "DNS Operations" rule first, then "Deny Everything", then "Allow 80 and 443". I don't see a way to order these rules. I'm not familiar with the Security Policy specifics... Do "Allow" operations take precedence over "Deny" operations? Without the explicit "Deny" rule, I find that web pages may be coming up a little more slowly, as you have described (e.g., taking a few seconds longer), though given the nature of the Internet this is not certain. There is a nice program called Fiddler2 that could help you diagnose the issue, though it may be working at a bit higher level than needed here... http://www.fiddler2.com/Fiddler/help/http/ I noticed while running Fiddler2 that when I un-assigned the policy a whole bunch of certificate traffic was generated (e.g., requests and responses to verisign, thawte, usertrust, etc.), as well as some other requests (e.g., to amazon.com and microsoft). This may have been coincidence (Microsoft Update running perhaps?), as it didn't happen again. With the Deny rule in place absolutely no web traffic is logged. I'm sorry I have no answers in this, but perhaps it can help you find new avenues for investigation. -Noel

Hi Noel. As you said, nothing happens if I enable the policy. If I disable the policy, Fiddler2 can trace all the HTTP requests. I'm running Windows 7 64 bit, I don'y use router. I'm using ADSL with manually dial-up. Both 32 bit and 64 bit version of Internet Explore have the same problem. The strang thing which I have concern is "Policies" work fine in Windows XP. Thank you very much, Noel. But I still have no idea now. Best Regards, Calven

I don't believe Internet Explorer has "the problem" per se, but that the policy rules are blocking all IP operations. I think it must hinge on what rule takes precedence if there are conflicts. For example, the rule that denies everything may in fact be truly doing just what you've told it to do. You might seek out documentation on that policy to see if there's specific language describing whether "allow" or "deny" rules take precedence. Also, not being familiar with that policy interface myself, what does it mean to have two "allow" rules standing alone? Is it possible the "deny" part is now implied, and just having the two "allow" rules accomplishes what you want? Lastly, the Windows 7 firewall is about as powerful as any. Maybe you can accomplish what you want through careful configuraiton of that tool, opposed to the MMC policies. -Noel

Dear Noel, I find it is impossible to change the order of policies. The link attachment is the my policy setting. Could you please help me have a look? Any suggestion is highly appreciated. http://cid-8638bcc57cd0ad87.skydrive.live.com/embedicon.aspx/.Public/IPsec^_Policy.ipsec Regards, Calven