The answer in that case lies in the images being created beforehand. As long as they're having to manually roll those settings out, if they don't have a script they can run people are going to defer to simply shutting them off for expediency.
There's always a ton of talk about security and compliance, but when the rubber hits the road, no one wants to spend the necessary time to get to that point. That's at least true here in the states (and my personal experience)
So, three choices:
A netsh script solution to configure the Windows FW as you like
A powershell script solution to configure the Windows FW as you like
WDS Server and images with preconfigured firewalls for your company's needs. (This last option may be somewhat overbearing if you don't roll out a lot of machines but honestly I'd rather do it and be prepared for large growth)
To OP:
What do you not understand about the Windows FW that you'd like to know? To answer the only question I see posed, as far as I've been able to determine it will not block outbound on most common ports by default and it will allow response traffic for that session to get through. We aren't technically requiring it in our environment, yeah? I have been leaving it configured as it was going to be an upcoming requirement and so far I haven't had to create or modify the outbound rules for anyone's applications, only allow inbound.
To Daniel:
Sad they would do it over ping, but you'd think they'd at least just disable 'Domain' firewall rather than switching the whole thing off. Been there though.