It's not the job of a FW to be blocking applications. A persoanl FW/packet filter is not a FW. The job of a FW is to stop inbound and outbound packets coming from the network it is protecting against, and also and leaving the network if rules have been set to stop outbound packets. A FW sits at tje juction point between two networks.
If the machine has been compromised, then there is nothing running on the machine that can stop it, other than, the O/S if it has the means to do so. So you stop something with a PFW. But what about the boot a login process that the malware can beat the PFW to the connection and get out, because the PFW is not an integrated part of the O/S that O/S is going to make other services wait until the FW is up and running. And besides that, malware can fool the packet filter with app. control running with the O/S, like it can fool the O/S with both of them running with the O/S.
And most users flat-out do not know what is legit or non-legit traffic in a typical situation when they are being asked the questions.
Like I said, if the solution is not using two NIC(s), it's not a FW solution and is just a packet filter.