I do this for all of my clients.
There are two group policy administrative templates, one is the network/network connections/windows firewall/domain profile, the other is the ./././standard profile. The domain profile is used when connected to the domain, the standard profile is when the computer is not connected to the domain. You can select the domain profile to turn off the firewall, and select the standard profile to turn on the firewall. This accomplishes your goal.