Currently there are hidden rules in endpoint protection (windows 7 v12.x) which for example allow EAPOL traffic from SEP client through to a NIC
It should be possible to block all this traffic as well, perhaps a checkmark in the built-in rules for ALL the different types of traffic which can't be blocked with user rules. (I don't even know what else is allowed or will be allowed in future versions)
It is very bad policy that firewall allows any traffic through without me knowing and being able to do something about it. No matter how "dangerous" blocking it might be.
In this case it results in unwanted functionality on the latop. Even though I block all traffic to all interfaces, this will go through. Thus enabling laptop to authenticate to wifi (Granted, it will block rest of the traffic, but it still authenticates and if it has a fixed IP it will stay authenticated to that network)