How to Block Specific Apps from Internet Access in Windows Firewall

Controlling which applications on your Windows PC can access the internet is a powerful way to enhance your security, privacy, and even system performance. You might want to block specific apps from internet access for various reasons: to prevent a game from connecting to online servers, to stop an application from phoning home with telemetry data, to limit bandwidth usage, or to curb annoying ads. While many users rely on third-party security suites for this kind of control, Windows Defender Firewall (often referred to simply as Windows Firewall) offers robust built-in capabilities to manage application-level internet access.

The concept of a firewall as a “wall of fire” to protect a network or computer has been around for decades. In computing, a firewall acts as a barrier, inspecting incoming and outgoing network traffic and deciding whether to allow or block it based on a set of predefined rules. Windows Defender Firewall, integrated into Windows operating systems since Windows XP (as Windows Firewall), has evolved significantly. Modern versions, particularly Windows Defender Firewall with Advanced Security, provide granular control over network connections for individual applications and services. This level of detail allows you to precisely define who and what can communicate with your computer and the internet.

This guide will walk you through the process of creating custom firewall rules to block specific applications from internet access using the Windows Defender Firewall with Advanced Security interface, which offers the most comprehensive control.

Understanding Windows Defender Firewall

Windows Defender Firewall operates on a set of rules. When an application tries to establish a connection (either inbound, from the internet to your PC, or outbound, from your PC to the internet), the firewall checks its rules.

• Inbound Rules: Control traffic coming into your computer. By default, Windows Firewall generally blocks unsolicited inbound connections unless a specific rule allows them.
• Outbound Rules: Control traffic going out from your computer. By default, Windows Firewall usually allows outbound connections unless a specific rule explicitly blocks them. This is the type of rule we will focus on to block apps from accessing the internet.
• Profiles: Firewall rules can apply to different network profiles:
  • Domain: For computers connected to an enterprise domain network.
  • Private: For trusted networks like your home or small office.
  • Public: For untrusted networks like Wi-Fi hotspots in cafes or airports. It’s recommended to apply blocking rules to all profiles for consistent protection, especially “Private” and “Public.”

Method 1: Blocking an App Using Windows Defender Firewall with Advanced Security

This is the most precise and recommended method for blocking specific applications.

Entities:

• Windows Defender Firewall: The built-in network security component of Microsoft Windows that monitors and controls incoming and outgoing network traffic based on predefined security rules.
• Windows Defender Firewall with Advanced Security: A Microsoft Management Console (MMC) snap-in that provides advanced configuration options for Windows Defender Firewall, allowing granular control over firewall rules.
• Executable file (.exe): The main program file that starts an application in Windows. Firewall rules are typically based on the path to this file.

Step-by-Step Guide:

1. Open Windows Defender Firewall with Advanced Security:
   • Press Windows Key + R to open the Run dialog.
   • Type wf.msc and press Enter.
   • Alternatively, search for “Windows Defender Firewall” in the Start menu, click on it, and then click on “Advanced settings” in the left pane.
   • You may be prompted for administrator permission. Click “Yes.”
2. Navigate to Outbound Rules:
   • In the “Windows Defender Firewall with Advanced Security” window, look at the left-hand pane.
   • Click on “Outbound Rules.” This section lists all existing rules that govern outgoing connections.
3. Create a New Rule:
   • In the right-hand “Actions” pane (or by right-clicking “Outbound Rules” in the left pane), click on “New Rule…”
   • This will open the “New Outbound Rule Wizard.”
4. Select Rule Type: Program:
   • On the “Rule Type” screen, select “Program.” This indicates that your rule will apply to a specific application.
   • Click “Next.”
5. Specify the Program Path:
   • On the “Program” screen, choose “This program path:“
   • Click the “Browse…” button.
   • Navigate to the executable file (.exe) of the application you want to block.
     • Tip: Most programs are located in C:\Program Files\ or C:\Program Files (x86)\. For Microsoft Store apps, finding the exact .exe path can be trickier; you might need to use a different approach or search online for the specific app’s executable location.
     • For example, to block a browser like Firefox, you might go to C:\Program Files\Mozilla Firefox\firefox.exe.
   • Select the .exe file and click “Open.”
   • The path will now be filled in. Click “Next.”
6. Specify the Action: Block the Connection:
   • On the “Action” screen, select “Block the connection.”
   • Click “Next.”
7. Choose Profiles:
   • On the “Profile” screen, select when this rule should apply. It’s generally recommended to check all three boxes:
     • Domain: If your computer is part of a corporate network.
     • Private: For your home or trusted networks.
     • Public: For public Wi-Fi networks (e.g., coffee shops).
   • Checking all three ensures the app is blocked regardless of your network connection type.
   • Click “Next.”
8. Name the Rule:
   • On the “Name” screen, give your new rule a descriptive Name (e.g., “Block Fortnite Internet Access,” “No Telemetry for X App”).
   • Optionally, add a Description for more details. This helps you remember why you created the rule later.
   • Click “Finish.”

Your new rule will now appear in the “Outbound Rules” list. The application you specified will no longer be able to access the internet through that executable.

Method 2: Temporarily Blocking an App (Less Granular)

This method is quicker for toggling internet access for apps already listed in a simplified Firewall interface, but it doesn’t allow adding unlisted apps or granular control like Method 1.

Step-by-Step Guide:

1. Open Windows Defender Firewall:
   • Search for “Windows Defender Firewall” in the Start menu and open it.
2. Allow an App or Feature:
   • In the left pane, click “Allow an app or feature through Windows Defender Firewall.”
3. Change Settings:
   • Click “Change settings” (you may need administrator privileges).
4. Locate and Uncheck:
   • Scroll through the list of “Allowed apps and features.”
   • Find the application you want to block.
   • Uncheck the boxes under “Private” and “Public” (or “Domain” if applicable) next to the app’s name.
   • If the app isn’t listed, you can click “Allow another app…” but this will primarily add it to allow it, not easily block it. For blocking unlisted apps, Method 1 is superior.
5. Save Changes:
   • Click “OK” to save your changes.

Method 3: Blocking an App Using Command Prompt (CMD) or PowerShell

For users comfortable with command-line interfaces, you can create firewall rules directly using netsh (Command Prompt) or New-NetFirewallRule (PowerShell). This is useful for scripting or if the GUI is inaccessible.

Entities:

• Command Prompt (CMD): A command-line interpreter application available in most Windows operating systems, used for executing commands.
• PowerShell: A cross-platform task automation and configuration management framework from Microsoft, consisting of a command-line shell and a scripting language.
• Netsh: A command-line utility for managing network configuration and components in Windows, including the firewall.
• New-NetFirewallRule: A PowerShell cmdlet (command-let) used to create new firewall rules in Windows.

Step-by-Step Guide (Command Prompt):

1. Open Command Prompt as Administrator:
   • Search for “cmd” in the Start menu.
   • Right-click on “Command Prompt” and select “Run as administrator.”
2. Enter the Command:
   • Type the following command, replacing “App Name” with a descriptive name for your rule and “C:\Path\To\Your\App.exe” with the actual path to the executable:

DOS

netsh advfirewall firewall add rule name=”Block App Name” dir=out action=block program=”C:\Path\To\Your\App.exe” enable=yes

1. • Press Enter. You should see “Ok.”
   • Example: netsh advfirewall firewall add rule name=”Block Chrome” dir=out action=block program=”C:\Program Files\Google\Chrome\Application\chrome.exe” enable=yes
2. To Delete the Rule (if needed):

DOS

netsh advfirewall firewall delete rule name=”Block App Name”

Step-by-Step Guide (PowerShell):

1. Open PowerShell as Administrator:
   • Search for “powershell” in the Start menu.
   • Right-click on “Windows PowerShell” and select “Run as administrator.”
2. Enter the Command:
   • Type the following command, replacing “App Name” and “C:\Path\To\Your\App.exe” as before:

PowerShell

New-NetFirewallRule -DisplayName “Block App Name” -Direction Outbound -Program “C:\Path\To\Your\App.exe” -Action Block -Enabled True

1. • Press Enter.
   • Example: New-NetFirewallRule -DisplayName “Block Edge” -Direction Outbound -Program “C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe” -Action Block -Enabled True
2. To Delete the Rule (if needed):

PowerShell

Remove-NetFirewallRule -DisplayName “Block App Name”

Important Considerations:

• Executable Location: The most crucial part of blocking an app is finding its exact executable file (.exe) path. Right-clicking a shortcut and choosing “Open file location” can often lead you to it. For Microsoft Store apps, executables are often buried deep in C:\Program Files\WindowsApps\ (a hidden folder requiring special permissions to access).
• Multiple Executables: Some complex applications (e.g., games, large suites) might have multiple executables that try to connect to the internet. You might need to create rules for each one.
• Updates: App updates might change the executable path, rendering your firewall rule ineffective. You may need to re-create the rule after significant updates.
• VPNs: If you use a VPN, the app’s traffic will typically be routed through the VPN tunnel. Firewall rules still apply before the traffic enters the VPN tunnel, effectively blocking it at your machine.

By following these steps, you gain precise control over which applications can communicate with the internet on your Windows PC, enhancing your system’s security and your digital privacy.

FAQ

Q1: Why would I want to block an app from accessing the internet?

There are several reasons:

• Privacy: To prevent apps from sending telemetry, usage data, or personal information without your explicit consent.
• Bandwidth Saving: To stop bandwidth-intensive apps (like games or update services) from downloading or uploading data in the background.
• Security: To prevent potentially malicious or untrusted applications from connecting to external servers.
• Performance: To reduce background network activity that might slow down your internet connection or PC.
• Avoiding Ads/Updates: Some apps might serve ads or force updates that you wish to avoid.

Q2: Is Windows Defender Firewall enough, or do I need a third-party firewall?

A2: For most home users, Windows Defender Firewall provides sufficient protection and granular control for blocking specific applications. Its integration with the operating system makes it efficient. Third-party firewalls often offer a more user-friendly interface, additional features like application control alerts, and potentially more advanced intrusion prevention systems, but they are not strictly necessary for basic app blocking.

Q3: Can I temporarily disable a firewall rule instead of deleting it?

A3: Yes, you can! In Windows Defender Firewall with Advanced Security:

1. Go to “Outbound Rules.”
2. Find the rule you created.
3. Right-click on the rule and select “Disable Rule.” You can re-enable it later by right-clicking and selecting “Enable Rule.”

Q4: How do I find the executable path for a Microsoft Store app?

A4: Finding the .exe path for Microsoft Store (UWP) apps can be challenging because they are stored in protected folders (C:\Program Files\WindowsApps). For some common Microsoft Store apps, you can often find their executables by:

1. Opening Task Manager (Ctrl+Shift+Esc).
2. Finding the app under the “Processes” tab.
3. Right-clicking on the app’s process and selecting “Open file location.” This will usually take you to the app’s installation directory. Alternatively, some third-party tools or online guides provide lists of common UWP app executable paths.

Q5: Will blocking an app’s internet access affect its offline functionality?

A5: Typically, no. If an application is designed to function offline (e.g., a word processor, a single-player game), blocking its internet access through the firewall should not affect its core offline capabilities. However, any features that rely on an internet connection (like online updates, cloud syncing, multiplayer modes, or integrated ads) will cease to function.