Somehow repeating what i said before, you are making very difficult what is fairly simple.
Let’s talk, if you want to, of technical details and protocols later, when you shall have succeeded blocking your computers.
I made the test plugging my second computer, and confirming what i said: you only need to block Netbios, period.
As there might be some differences, i report my configuration for what it is relevant.
-PC1 is a desktop running xp pro sp3 with cis v3.
cis is set to proactive, firewall to custom, maximal alerts, everything checked excepting ICS, no global rules excepting blocking icmp rules (thus here not relevant).
defense+ is not relevant, but it is set to paranoid, normal image execution settings, with there everything checked, no trusted application, no trusted vendor.
Ports are stealthed in firewall.
All of the unneeded services have been disabled by os options (e.g. remote control, security center…), standard services, or autoruns.
As far as i remember, websites like black viper or equivalent also list the services to be closed in Vista.
-PC2 is a very small netbook, running win 2K sp4 as a gain of diskspace and not able to run cis 3 or even cis 2.x for the same diskspace reasons, added to the very small screen size factor: the firewall is old kerio 2.1.5.
Both computers are ethernet wired to the same router.
DHCP is disabled, it is a prerequisite if you want “fine” lan settings: PC1 is 192.168.0.20, PC2 is 192.168.0.30.
The network mask is standard 255.255.255.0, the gateway is the ip of the router (192.168.0.1), the dns those of my isp (215.27.40.240-212.27.40.241) and of course both computers are in the same workgroup.
PC1 has no shared partitition (total of 2 harddisks and 6 partitions) whereas PC2 has as only “harddisk” a small flashdrive with 3 partitions, of which only 2 are shared.
Remember, last, the “remanence” of windows sharing: until you reboot from both sides, you always see the same thing in the network favorites.
Of course, without even speaking of whatever firewall, if you NEVER want PC1 to see PC2 AND PC2 to see PC1, set 2 different workgroups, and let’s speak of something else: we therefore assume that PC2 is not allowed to see PC1, but that PC1 is allowed to see PC2, lets’ plug both computers.
-Total interdiction:
As soon as booting (and for technical reasons we might talk of later), and before i set whatever in the firewall, cis asks for 192.168.0.255 permissions: it is a broadcast request, the os is aware that “something” is connected, and searches where it could find it.
If now i try to open network favorites and open PC2 from PC1 or PC1 from PC2, i shall be asked for permissions for 192.168.0.20 or 192.168.0.30 on the same netbios ports.
If i deny, the only difference is that PC1 is totally invisible from PC2 (PC1 has no shared partition) whereas PC2 from PC1 shows the name of the 2 shared partitions, but that i am totally unable to open them.
The rules are very simple:
-Block, UDP out, from ip any to 192.168.0.255 where source port is any and destination ports 137-139
(no more broadcasting at boot time in order to automatically discover the lan)
-Block, TCP or UDP, in and out, from 192.168.0.30 to 192.168.0.20 where source port is any and destination is any (replacing “any” by “137-139” is enough)
-Same as before, inverse 192.168.0.30 and 192.168.0.20
-Partial interdiction: PC1 is allowed to see PC2, but PC2 is not allowed to see PC1 (amend as needed on PC2, i don’t have cis on PC2).
Delete the 3 rules supra, and replace them by the 3 following:
-Allow TCP or UDP out, from 192.168.0.20 to 192.168.0.30, from any ports to ports 137-139
-Allow UDP in from 192.168.0.30 to 192.168.0.20, where source ports is any and destination ports 137-139
-Allow UDP out from 192.168.0.20 to 192.168.0.255 where source ports is any and destination ports 137-139.
Done (note that “system” in cis 3/xp, where the said rules take place, might be replaced by “WOS” in cis 4 or 5 and vista, but it has no importance whatsoever as cis takes the decision for you, and you only have afterwards to modify it as said).
Neeedless to say, these Netbios rules MUST be followed by a general blocking rule denying everything (tcp, udp, in, out, any ip source and destination) for the netbios ports 137-139.