Our on campus guru explained how to utilize the SEP console to change firewall applications via the SEP console:
Assign install packages to a group with a specified feature set of components so that all of my "no sep firewall" SEP groups install a client with a custom feature set each time a computer is moved from one SEP group to another.
1. On the console ADMIN section I designed two Client Install Feature Sets, one for SEP Firewall and one NO SEP Firewall.
2. Then on the console at CLIENTS I Added Client Install Package and UNCHECKED the "maintain existing client features when upgrading" and assigned the NO SEP Firewall Feature Set to the No SEP Firewall client group.
3. On the console at CLIENTS I added Client Install Package and UNCHECKED the "maintain existing client features when upgrading" and assigned the SEP Firewall Feature Set to the SEP Firewall client group.
Now I can move client machines from one SEP group to another and the firewall will install the Firewall (Network Threat Protection) component will be installed or uninstalled at the next client update. Once the NTP component is uninstalled, the workstation automatically reverts to the Windows Firewall settings from local or Group Policy.
This seems to solve the issue, if there is any reason NOT to use this method, please let me know!!! Thanks to everyone for helping!