You need to faff about with group policy's firewall...
... Well, or (as one alternative) have an edge firewall not on the Windows device so Windows installs can't touch it - UTM or otherwise. But yes, that still generally requires more than the non-technical user can (through no fault of their own) bring to the table.
Biting the hand that feeds IT
