The Windows firewall is doing it's job. The firewall will follow the rules it has, it does not enforce rules additions or deletions. UAC does that. The issue is that it's pretty easy for a program to automatically add a rule either by adding a registry entry or through API calls. Firewall rules are stored in the following locations
HKLM\Software\Policies\Microsoft\WindowsFirewall
and
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
Rules can be added by adding a registry entry, through netsh, powershell on newer Windows versions 8.1+ or through API calls