This is not the whole story though, W7FC does manage the system apps in a way but you can not edit or delete the rules it automatically creates for them. This is what the rules look like. The ones that say "enable all(read only)" are system files. You might get alarmed by the enable all part but this is exactly the same thing the built in Firewall does. It automatically creates incoming exceptions for system files that need them and allows all outgoing like it does for everything.

Dch48,

I am presently using the free ver. of W7FC. I have all outbound connections allowed for the Win 7 firewall. If I add rules for outbound in the Win 7 firewall primaily for svchost.exe - Win updates and time services only, this will override the corresponding rule (invisible) for svchost.exe that W7FC generated. Is that correct?

Pertaining to the paid ver. of W7FC. It appears to be pure firewall only; no IPS, HIPS, etc. Is that correct? I also noticed that an option exists in the paid version to “Check AV hook.” Is this really necessary to prevent localhost leaks as is implied? I am running avastsvc.exe as “enabled” in the free version without issue.