Sorry I don't know about fw ctl install, nor NG on Windows. However my team's setup guide for NG on Nokia may be helpful.
"Now that the Nokia has been configured, you are ready to configure Checkpoint via 'cpconfig'. One problem - after running 'cpconfig' the Nokia reboots in order for changes to take effect. Upon reboot, the Nokia box loads with the 'defaultfilter.pf' policy. This policy for all intents and purposes blocks all traffic. Normal procedure when faced with this is to issue the command 'fw unloadlocal' However, if you don't have console or term server access then you cannot issue this command. And of course, since defaultfilter.pf blocks everything, you will not be able to telnet/ssh to the box.
"A way around this situation is replace the defaultfilter.pf file with another IPSO specific file called 'defaultfilter.ipso_ssh' prior to running 'cpconfig'. As the name suggests, this policy will allow you to ssh into the box. From there you can remotely log into the firewall and issue the standard 'fw unloadlocal'.
"DO THIS BEFORE RUNNING THE INITIAL CPCONFIG:
- cp $FWDIR/lib/defaultfilter.ipso_ssh $FWDIR/conf/defaultfilter.pf
- fw defaultgen (this generates the default filter)
-cp $FWDIR/state/default.bin $FWDIR/boot"
You may be able to make a copy of your default policy file (looks like it was $FWDIR/lib/default.boot in my case), edit it as desired, copy the modified file to $FWDIR/conf/defaultfilter.pf, execute 'fw defaultgen' to create the default policy from the source file, then move the default.bin file to $FWDIR/boot.
If you're unfamiliar with Inspect like me, you can try copying/pasting portions from the other default policy files in $FWDIR/lib. For example, a stanza allowing incoming SSH:
all@all
accept inbound, tcp,
<[16]> in host_ip_addrs,
dport = 22,
DEFAULT_RECORD();
Command Line Policy Install 
2007-03-20 
Command Line Policy Install 
Linear Mode
