Sooo, it's a known issue for the FW to still show as "On" on the SEPM for a client, while it's actually been disabled.
http://www.symantec.com/docs/TECH203713
As such, can you check what version you're running and (if affected) consider upgrading?
Regarding your initial question though, James007's first post hit the nail on the head. Placing the client in it's own group and withdrawing the FW policy from this group is the best way to disable the FW only for a client.
All other remote methods (whether via commands from the SEPM, Altiris/SCCM/LANDesk scripts, or by PSExec'ing smc commands) will disable both FW and IPS.
The only problem is that it will take a while to take effect, as you'll need to wait for the client to heartbeat in before it will pick up the policy change.