i'm looking for an alternative to PCAnywhere that will work without
any firewall configuration.  i don't need anything fancy.  All it
needs to do is remote control.  Also, the cheaper the better.

The fundamental issue with what you're asking is that PCAnywhere is a
server type service. By its very nature, it, and other softwares of
its ilk are simply waiting for a connection to be made, but otherwise
just sits happily. It waits on a connection on a specific port, and
the client of the application seeks out that port for connection. Look
at it like this: port 80 is the "door" that is open for a website. If
port 80 isn't open, a web browser won't see the web page.

Likewise, if the ports for PCAnywhere, tightvnc (www.tightvnc.com),
Timbuktu, etc., aren't open/available, the server can't respond to a
client's request. Behind a firewall, those "doors" are normally
closed. To fix it, the firewall has to know what to do when the door
is requested. If it knows, it acts invisibly to relay the information
to the waiting PC that is running the host/server.

A service like "GoToMyPC" gets around this fact by having the server
announcing to a central location that it is "live", repeatedly. Since
the "announce" happens very similar to the way a web browser connects
to a website, the firewall will usually pass the "announce" unless it
is explicitly blocking the "announce." When a client/browser connects
to the central location, the connection is established.

One way you can simulate this is by having your remote control
software announce to you at home. This requires a bit of work, but not
impossible. While the most often configuration of a remote control
software is to sit and wait, another option is to have the host
connect to the viewer.

To make this work, you have to know how to make your software
announce, and to whom it is announcing. At home, you probably have a
dynamic ip address... it gets updated/changed every time you connect
to the Internet. If you have a Dynamic DNS client solution at home
from dyndns.org or no-ip.com, you can have a real name associated with
your computer. This is good ... and bad. until you get home and update
your client, there is no telling to whom your computer is going to
announce (someone else might have that ip address). Let's assume
you've gotten a dynamic DNS name.

Now, how to announce: Set up your remote control software to make a
connection to the viewing PC (connect to viewer at
hostname.dynamicdnsservice.com. This may be called a reverse
connection. Save the connection icon. Use your Windows built-in task
scheduling program to call that connection at a time you may be home.
Maybe even try again in 15-20 minute intervals until you're no longer
interested in connections. AT HOME: turn on your remote control
software so that it is waiting for host connections. See, this is
almost exactly the reverse of how you're used to doing it. Now, you
must have the ports open to the Internet that you're waiting for. If
you have a home router/firewall (or, it seems xp sp2!), you must
configure it to allow the inbound connections!

I *know* this is a very strange configuration, and I left out all the
stuff about security and authentication that you should have already
in place because you don't need to have someone "accidentally" have
your IP address and an unauthenticated client connection to your
office.

One other thing: If you use this correctly, and are portable with your
dynamic dns connection, you can have your remote control software
follow you anywhere... Also, it's a no-brainer for your administrative
assistant to double-click the "connect to home" icon when you call in
on the road ...

Reminder: this only works IF your remote control viewer software is
waiting for the call at the time of announce. Yes, it does require
preplanning on your part, but I'm PRETTY sure you'll be able to do
this without firewall configuration at your office, no matter what
software you run.

Ok, i follow most of what you are saying.  Let me give you a little
more info on my configuration.  I do have an account with no-ip.com. 
I am using PCAnywhere (which i assume is what your instructions were
based on).  I have my router (at home) forwarding the two necessary
ports.
I don't understand how to make the remote try to connect to the host. 
I also have tightvnc and i'm not sure how to do it with that either. 
Thanks for your help.

OK, but so we're clear and talking on the same page, where is the host
and where is the viewer?

I'm assuming that "office" is host and "home" is viewer, but your last
post may have made it unclear to me...

Here's a support document from Symantec that explains briefly what I
was trying to say at length...
http://service1.symantec.com/SUPPORT/pca.nsf/pfdocs/2002093009205212

If you were using tightVNC, you must have port 5500(plus display
number) viewer listening for connection when server/host is connecting
to viewer.

The reason I know all this is because I use it so my 150 users can
double-click on a "help me" icon to bring their screen on my PC (so I
don't have to hunt for their IP address). The "Help Me" icon is
"drive:\path\to\winvnc.exe" -connect computername
but you can change computername to your.no-ip.com

At the viewer, you have to have port 5500(plus display number, usually
zero) listening for connection (and passable through your
remote/viewer firewall, if exists). OK, I said that already, but it
bears repeating.

If you want to use pcAnywhere to wait for host connection, check
netstat -an on the viewer PC to make sure that the standard 5631 and
5632 ports are all that's necessary. netstat -an tells you all the
ports that your network is "listening" for. 0.0.0.0 means that "all
devices" are listening on that port.

I think it also bears repeating that tightvnc does not have any
security when host is attaching to viewer. If your tightvnc connection
happens to announce to someone not you, the only thing stopping the
connection from existing is that the "not you" is *probably* not
running VNC Viewer in listen mode. (Hint: this a good reason to
attempt to connect at other than the default 5500 port.)

I got PCAnywhere and TightVNC to work with two computers on different
networks.  I still have to try it on the computer behind the corporate
firewall.
You mentioned that you created a "help me" icon for your users.  I am
assuming that you already have TightVNC installed on their computers. 
Is there any way to package the app such that all a user has to do is
grab a file from my computer (a zip or exe) and run it without
installing it?  You can kind of do this with pcanywhere but it is
limited by the fact that you can't "call remote", which makes it
useless for my purposes.  Thanks again.

I know for a fact that PCAnywhere can call remote, otherwise both I
and Symantec (in the link I gave above) are incorrect. I know this
because I have successfully tried this scenario.

But, setting aside that fact, and moving to tightvnc, the question posed "I am
assuming that you already have TightVNC installed on their computers. 
Is there any way to package the app such that all a user has to do is
grab a file from my computer (a zip or exe) and run it without
installing it?"

To the best of my knowledge, no. Of course, my knowledge is limited in
that. There are programs like webex that run on an activex through a
browser, and I suppose there are other programs, but most of them
require some hook to get between the keyboard, mouse, and video.

Considering the small size of tightVNC and the effortless install...
If you want, you could create a batch file (viewme.bat) that contains:
\\server\path\to\tightvnc-1.2.9-setup.exe /sp- /verysilent
"c:\program files\tightvnc\winvnc.exe" -connect remote.viewer.ip.address

So it'll install and announce. This does NOT (should not?) install
tightvnc as an automatically startup service.

I did not mean that PCAnywhere could not call a remote.  I did that
and it worked.  What i meant was was that using the PCAnywhere "thin
host" you can't "call remote".  The thin host is a way run a host
without installing pcanywhere.

i will give the tightvnc stuff a try.  thanks.

When i run that bat file it automatically restarts the computer.  Is
there any way to stop that?

That result was not documented in tightVNC, so I don't have an answer
for you. Perhaps the tightVNC mailing list can help?
http://lists.sourceforge.net/lists/listinfo/vnc-tight-list

I don't understand why a reboot is required unless there might have
been a reboot pending... I'm pretty certain reboot isn't required if
the application is installed manually.

i tried it on several computers and they all rebooted.  I will try
that mailing list.