I think I've worked it out, well it seemed to work here but it's 0220 and I've got to get up in 2 hours
Anyway, by default WFwAS, (Windows Firewall with Advanced Security), allows all outgoing connections so you have to set it to Block connections by default for the Private profile.
You then need to create rules for the programs you want to let through, including your browsers, just like you would with a normal firewall.
Once you've done that, you can limit the access your browsers have by using the netsh command like above but using the remoteip option, (not profile or enable).
eg. remoteip=any Full access
remoteip=192.168.0.1/24 LAN access only
Sorry, my screw up with the mis-leading profile stuff above, (I think old age is catching up to me).
-4wd
Thanks, (and get to bed!) I'll look at this again tomorrow now that you've discovered a bit more.
Hopefully it doesn't change what you've just said but I was manually setting up blocking rules on each of the browsers (just using the GUI for the firewall). So, all profiles (Domain, Private, Public) are selected and blocked and the rule enabled - so, I'm confused now why that isn't enough - hopefully it will be obvious when I see what you mean in the firewall control panel.
edit:
I think I see now...
I created a rule to block everything for the Private profile and this does block everything, including the browsers that wouldn't block before.
The problem with this approach is that "everything" is going to cause problems elsewhere or be too time consuming to start creating filters for all the programs that needs connections. It would be more secure, of course, but it seems like a backward approach to just blocking a couple of browsers (and Apache and MySQL sometimes).
I think I need a way to identify why some of the browsers are still getting through even when a rule says they are blocked for all profiles.