Thank you Larry!
If you're running a windows unified connector on a Windows Server 2008 box with no GUI (console only), you can use this script to open port 9001 for managing the connector from a connector appliance:
netsh advfirewall firewall add rule name="ArcSight Connector Management" description="TCP 9001 is the connector management port for the Arcsight manager appliance." protocol=tcp dir=in localport=9001 action=allow
Also, you can use a non-admin service account to read logs if you add the account to the event log reader local group.