I have Internet Security and Acceleration (ISA) Server configured as a firewall to control traffic to and from my internal network. After I install Windows XP Service Pack 2 (SP2) on the workstations, will it block all the traffic that ISA Server already blocks? If so, isn't this an unnecessary redundancy?
XP SP2's Windows Firewall will indeed duplicate some of the functionality of your perimeter firewall, but that's actually desirable. If your perimeter firewall fails to block malicious traffic for some reason (e.g., misconfiguration), each PC still has a layer of defense to fall back on. Windows Firewall also defends individual PCs from someone who might circumvent your perimeter firewall—for example, by using a wireless connection to access your network—then use the IP address assigned to him or her by your LAN to attack legitimate computers on your LAN. Windows Firewall also protects PCs if—and this is the attack scenario that made Microsoft decide to activate Windows Firewall by default—one PC gets infected with a worm that could propagate on an internal LAN. The only thing standing in the way of your entire network getting infected are locked-down, fully patched computers, but few of us can maintain such a high level of security on every computer on our LANs. One final scenario in which a perimeter firewall isn't much help: a user with his or her laptop connected to the Internet at the airport or some other hot spot away from the office. No perimeter firewall is protecting the user at that point, but Windows Firewall mitigates the risk.