There's a Mac app called Little Snitch and a competitor. They ask about every connection attempt and you can make rules that stick. I block some Apple stuff because it's way out of date now, but I know I can because if I set a temporary rule with a certain port, it will try again with another port.
There's got to be something like this for Windows. Copy over a ruleset and the end-user doesn't even have to figure things out.