Image Execution Control: What is it?

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

Help file doesnt give any useful description and I cant see if IEC works correctly or not.
What will change if I set IEC to disabled? Or if I add * to check list?(because any file can be executable)
Help file says:

Comodo Internet Security Pro calculates the hash an executable at the point it attempts to load into memory. It then compares this hash with the list of known/recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe. If no matching hash is found on the safelist, then the executable is 'unrecognized' and you will receive an alert.
So without IEC all executables are treated as safe? Or unrecognized? I often see cmdagent.exe connecting to random ips -- is it hash checking? I also expected to see checks with local db, and if executable was changed, to receive alert at the moment of execution -- is this implemented and how to enable it?
2

Without IEC you will not be notified so I guess they will be allowed.

What are the IP addresses? They are most likely of Comodo for the AV and program updater. You can look up the owner to which those IP addresses belong here: http://www.arin.net/whois/ . Type in the IP address and see.

I don’t think CIS does a hash check to see if an executable has changed. You would have been notified by D+ that another program was trying to do something to that executable and you would have had the opportunity to block that.