Have read other posts on similar subject, but wanted to ask a specific question:
When I installed CIS3, it detected my local network, and I ticked the “allow access to/from all computers on this network [in this zone]”, and all worked o.k. - I could access shares on the machine (from other PC on same subnet) and could access the VNC Server that I was running on that machine (after perhaps having to have ticked “allow” to certain CIS3 alerts on the host PC).
When I installed CIS4 (after uninstalling CIS3, as required by installer), it also detected my local subnet, and I again ticked the “allow access to/from all computers on this network [in this zone]”. However, I immediatley found that I could not “ping” the host PC (on which CIS4 was being installed) from any other machine on the same network; also, I could not VNC to the host machine from any other machine on the local network. CIS4 was not alerting me to “allow” (or deny) any incoming connections, as CIS3 did. Accessing file-shares on the host PC works fine… (but can’t recall if I had to respond “allow” to an alert"…).
I have read the other posts re: changing a stealth ports setting, but as far as my (perhaps flawed) logic goes, if I can see that the rules “Allow all outgoing requests if the target is in [<Trusted_Local_Subnet>]” and “Allow all incoming Requests if the target is in [<Trusted_Local_Subnet>]” are the first two rules in the “Global Rules” under “Network Security Policy”, then this should be enough to permit access to/from all hosted services on the host PC, from any other PC on the same network (file-share, VNC Server)? And especially, simply having those rules, should at least allow “pings” to be responded to?
However, as VNC is a “hosted service”, just in case it was a trusted application issue, I copied the entry from the CIS3 (that I have reverted to, on the particular PC in question) firewall policy (that works), so have added “C:\program files\UltraVNC\winvnc.exe” into the “Application Rules” part of the “Network Security Policy”, using a predefined policy of “trusted application”, and moving this rule to the top of the application rules list.
But still, I can’t connect to the VNC server hosted on the CIS4 machine. And still can’t “ping” it, although I know that the above action should not have changed that…
I have noted that under “View active connections” (even after applying the above application rule), only a couple of system processes are listed as listening, with associated ports listed. VNC (and a couple of other Applications/processes that I noted under CIS3’s view of Active Connections on this “host PC”) are NOT listed as listening…
So, the specific question is: with the two specific “Global rules” that, by definition, allow all incoming and outgoing connection to/from the local subnet [network zone], why can’t I even “ping” the host PC, let alone VNC to it? And the same situation, even with “winvnc.exe” added as a “trusted application”? (And perhaps as a symptom, why is the VNC listening port not listed as such in “active connections”?).
Thanks,
P.
P.S. - As an aside - can anyone confirm the order and logic of rule execution? (My default logic is firmly rooted in Cisco access-lists… 
)
E.g.: Global rules in order, stop on a match; if match includes a reference to an appllication, then application rules in order, stop on a match; etc. ???
And - are Firewall Policy changes (e.g. adding trusted applications, etc.) dynamic - I’m assuming they do not require a user-initiated restart of any kind (CIS or System)?