The solution of this problem could be even more simple. CIS developers could simply add another firewall mode which would allow outgoing traffic and would block or (optionally) ask whenever there is incoming connection. This new firewall mode could replace weird application policy approach which is currently used.
Firewall default allow all ==> Allow Outgoing Mode
Normal firewall ==> Custom Policy Mode
Firewall only for untrusted ==> Safe Mode
Allow Outgoing Mode:
- allows outgoing connections for any application
- blocks or (optionally) asks whenever there is incoming connection
This new firewall mode would be consistent with currently used application policy for the whole suite installation and it would allow very easy to switch between other firewall modes.
[attachment deleted by admin]