Microsoft has designed a new, highly configurable firewall for Windows Vista that will give sysadmins much greater control of apps on their networks.

The new firewall has been in testing for a month and is "very much on track" to be in the final Vista release scheduled for later this year. The software giant is also considering a consumer version, said Austin Wilson, director in Microsoft's Windows Client group.

The new firewall will filter both incoming and outgoing network traffic, meaning that it can be used to block machines that are trying to connect to the Windows PC as well as applications on the PC that are trying to connect to other systems on the network. Microsoft is dubbing it a "two-way" firewall.

The ability to block outgoing traffic does not exist in Windows XP, but will give powerful options to Vista admins, Wilson said. They could, for example, ensure that their PCs only use a preferred instant messaging application. "If you tried a different instant messaging application, it would be blocked," he said. "It's really something that we're targeting toward enterprise administrators in corporations."

Though Microsoft has previously discussed plans to include the firewall in Vista, it has only recently provided details on how it will work.

The new firewall capabilities were introduced in last month's CTP build 5270, but they were difficult to access, and turned out to be much more extensive than testers had expected, according to Windows blogger Ed Bott, a co-author of the book, "Microsoft Windows XP Inside Out".

"After installing Windows Vista Build 5270 and examining all security options in Control Panel, you might conclude that Windows Firewall hadn't changed at all," he wrote on 14 January.

In order to access the new firewall features, Vista users need to create a customised management console and then configure it to load the "Windows Firewall with Advanced Security".

The console can be run in two ways. It can be used in "single machine mode" to manage only the PC where it has been installed or it can be configured using Active Directory to set up policies that apply to a large number of machines. "If I have 10,000 machines, I can set up a policy, one time, to block a given application. And that would propagate across all of my 10,000 machines," Wilson said.

The underlying firewall code, called the Windows Filtering Platform, has been rewritten for Vista, but most users will not notice major differences between it and XP.