When Microsoft uses the term "Public network", what does it mean?

That's not describing the network specifically, it's more of a description of "how should Windows treat this network for security purposes".  If you tell it that a network is "public" (like a coffee shop free wifi), Windows will treat it with higher security scrutiny and block some ports and communications.

But if it's a network you own (your home router, or your workplace company network), then Windows knows you are in control of the data on that network and will let more types of communications be allowed.

Hey Shawn!

I solved my problem here:

https://social.technet.microsoft.com/Forums/en-US/62b9fd5c-10b2-4266-bc15-fcf3e79d20d4/solved-windows-firewall-rule-that-allows-windows-update?forum=w7itpronetworking

It was basically simple once I learned to follow my nose.

Thanks for your help. Ciao!

I'll do my best to go point by point.

What ports is Windows listening on?

You can run netstat -aon at the command line to see what ports are being used right now, and which program is using each one. It lists the PID (Process ID), which you can reference to the Task Manager (or run the command tasklist) to see the name of the program that's using the port. This also tells you which IP address the port is communicating with, so you can see where your network traffic is going.

1. Is there a bulk method to mark an extended selection of firewall rules as Action=Block

You can shift+click to select a range of firewall rules and right-click/disable them.  If the rules are "allow" rules, than this action of disabling them would effectively block the program from communicating.

2. If Outbound connection is not matched to rule is allowed, does that mean firewall is wide open.

Yes, outbound connections are allowed unless they match a rule. Example, if you downloaded the Facebook app, it would be allowed to make an outbound connection unless you have an outbound rule that blocks it from doing so.

Basically inbound is "deny unless there's an exception rule" and Outbound is "allow unless there's an exception rule".

3. Effectively yes.
4. That would mean it's blocking inbound connections.
5. It shouldn't be. Are you connecting to a port 80 server?  When did it begin blocking your browser?  Is it listed in the allowed apps list like my Google Chrome here?

Also remember this firewall is app-centric.  That's because it's far safer to allow an app than a port. 

When you add an app to the list of allowed apps in a firewall—sometimes called unblocking—or when you open a firewall port, you allow a specific app to send info to or from your PC through the firewall, as though you drilled a hole in the firewall. This makes your PC less secure and might create opportunities for hackers or malware to use one of those openings to get to your files or use your PC to spread malware to other PCs.

A port stays open until you close it, but an allowed app opens the "hole" only when needed. Generally, it's safer to add an app to the list of allowed apps than to open a port.

Shawn, First: Thank you so much. I feel very privileged to get such help.

I've done an experiment that illuminates how firewall rules actually work, which, unless you made some simple errors in your reply to me, is slightly different from what you think. The difference is this: Disabling a rule doesn't mean that its connection is blocked. Disabling a rule means that the rule isn't applied. Whether that results in a connection blocked or a connection allowed depends upon what the default is.

1. For simplicity, I changed my network to a Public network.

2, I set the firewall (defaults) to block all traffic.

3, I created 2 firewall rules.

Note that ALLOW ALL is Action=Allow (which is the default for the table) and BLOCK ALL is Action=Block (which can only be set through the property sheet).

4, I created 4 scenarios.

Call these (left to right) A1, A2, B1, and B2.

A1: Default is Block. Rule is not applied (not enabled). Result is Block (browser does not work).

A2: Default is Block. Rule is Allow. Result is Allow (browser works).

B1: Default is Allow. Rule is not applied (not enabled). Result is Allow (browser works).

B2: Default is Allow. Rule is Block. Result is Block (browser does not work).

Note that when the rule is Enabled=No, the result tracks the default. But when the rule is Enabled=Yes, the result tracks the rule.

Also note that there are 2 degenerate cases: A3 (Block+Block) & B3 (Allow+Allow).

Now I'm going to skip being pedantic about what you wrote (some of it doesn't jibe) and get right to the mystery.

The Mystery: Suppose ALLOW ALL doesn't exist. Nonetheless, if I enable all Outbound rules (that is, A2 done piecewise), the browser should work, but it doesn't.

See next message.

Hi Shawn,

You wrote: That's not describing the network specifically, it's more of a description of "how should Windows treat this network for security purposes".

How Windows should treat the network connection is what I'm attempting (and failing) to figure out.

You wrote: If you tell it that a network is "public" (like a coffee shop free wifi), Windows will treat it with higher security scrutiny and block some ports and communications.

I want one security setup. No "zones".

You wrote: But if it's a network you own (your home router, or your workplace company network), then Windows knows you are in control of the data on that network and will let more types of communications be allowed.

But I feel out of control because I'm not given any technical details.

I'll try to make this easy. Regarding Inbound, behind what ports does Windows have listeners? Kindly scope all 65,535 ports when listing (but only the ports that actually have listeners of course).

I've spent days on this and I don't think I've made any progress. If I may ask more questions...

1, Is there a bulk method to mark an extended selection of firewall rules as Action=Block?

2, If "(green checkmark) Outbound connections that do not match a rule are allowed", and all firewall rules are Enabled=No, does that mean that the firewall is wide open?

3, If "(green checkmark) Outbound connections that do not match a rule are allowed", and all firewall rules are Enabled=Yes, but all have Action=Allow, does that mean that the firewall rules are doing nothing?

4, If "(red no-entry) Outbound connections that do not match a rule are blocked", and all firewall rules are Enabled=No, does that mean that the firewall is totally closed?

5, If "(red no-entry) Outbound connections that do not match a rule are blocked", and all firewall rules are Enabled=Yes, and all have Action=Allow, why is the firewall blocking my browser?

Links are okay. Tips on Registry settings are okay too. Links to tips on Registry settings are okay too.

Thank You.

PS: Note that after many days searching and reading, I've not found any articles or forum posts that specifically address these issues.