You should also enable the 'Windows Firewall: Protect all network connections' policy setting otherwise administrators who log on locally can work around the 'Windows Firewall: Do not allow exceptions' policy setting by turning off the firewall.If you disable this policy setting Windows Firewall applies other policy settings that allow unsolicited incoming messages.
This policy setting overrides all other Windows Firewall policy settings that allow such messages.If you enable this policy setting in the Windows Firewall component of Control Panel the 'Block all incoming connections' check box is selected and administrators cannot clear it. Specifies that Windows Firewall blocks all unsolicited incoming messages.