1. Desktop policy will bring gateway rules into local firewall. That's one thing I don't want it to happen.
For example, the rule blocking multicast is actually located in gateway instead of directly in desktop policy.
If I use desktop policy, to allow the multicast traffic to go through OS firewall, I have to change the rule on gateway. But we don't want to multicast traffic cross gateway.
2. The other reason we prefer to Endpoint security policy is that as I said it's easier, more functional and more granular.
For example, we want to make different rules for different computers. It's very easy in smart endpoint console. Just create virtual groups and sign the different policies to them. Add the computers to different virtual groups.
Not sure how to do it in desktop policy.
Any idea to use Endpoint policy and make the Internet only go through VPN?