Just a tip for you guys that might have pulled your hair trying get the client updates / deployment work on a SBS 2003 SP1+ and XP SP2 environment on remote subnet.

TO avoid disable your tight firewall exclusion u must define your subnets correctly in the GPO of the SP2 firewall.

Open the Server manager browse to Advanced Management.
Expand Group Policy Management.
Expand Forest (Domain name)
Expand Domains
Expand your Domain
Expand Group Policy Objects
Right click “Small Business Server Windows Firewall” choose EDIT

Now open Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile

Double click the: Windows Firewall: Allow file and printer sharing exception.
In the "Allow unsolicited incoming messages from: you will see a value named “localsubnet” Replace with all your subnets or as you like.
If you for instance have the subnet 192.168.0.x and the subnet 192.168.1.x at your branch then simply add the following: “192.168.0.0/24,192.168.1.0/24”

Then to speed things up run GPUPDATE on the clients you’re having problem with and voila the deployment of avast Will work as a charm.

Hope it helps someone.