Keep WLAN deactivated on El Capitan

Your question touches upon a few different areas so I will aim to address these individually:

Disabling a network service

You did not mention how you were disabling the Wi-Fi (i.e. WLAN) service, however there are generally two ways to do so from System Preferences in OS X:

• Click the Apple menu (), then System Preferences, then Network
• Click Wi-Fi or the custom-named service from the service list on the left
• Click Turn Wi-Fi off, then close the System Preferences window

Alternatively:

• Click the Apple menu (), then System Preferences, then Network
• Click Wi-Fi or the custom-named service from the service list on the left
• Click the gear icon (⚙), then Make service inactive, then click Apply

Both methods should persist through a reboot or shutdown. Neither method requires removing any known networks, as you were concerned about, and both should result in the service being disabled until turned on again using the same method.

It is important to note that if you click Turn Wi-Fi off in the method above, it is necessary to close the System Preferences window. If you reboot or shutdown without doing so, the option will not persist. Similarly, if you disable Wi-Fi from the menu bar icon (top-right of screen) the setting will not survive a reboot or shutdown.

If, as you mention, the service is activated again after following one of the methods above, I would suggest removing the service completely (by selecting it from the service list and clicking the delete or — icon) then recreating it using the same settings, perhaps under a different name (e.g. WLAN Test).

Note: You can always Revert any changes you make before Applying them in Network preferences. Be careful not to lose any details that you otherwise don't have written down.

Protecting against open networks

As you suggested, it's wise to be concerned about the potential risks associated with open Wi-Fi networks, and you can at least opt out of joining these automatically:

• Click the Apple menu (), then System Preferences, then Network
• Click Wi-Fi or the custom-named service from the service list on the left
• Enable the Ask to join networks checkbox:

As described, known networks will be joined automatically. If no known networks are available a selection dialog will appear on-screen, giving you the option to join any available, but unknown, Wi-Fi network.

For additional protection you can require the administrator password when changing networks:

• Click Advanced... then enable the Change networks checkbox under the heading Require administrator authorization to:

Adjusting network service order

It's generally advisable to prioritise your network services by their reliability, from most to least reliable, to give you the best experience when using multiple connections. In your case — since WLAN traffic appears to be taking priority over other traffic — this means giving the wired thunderbolt-to-ethernet service priority over your WLAN :

• Click the Apple menu (), then System Preferences, then Network
• Click the gear icon (⚙), and select Set Service Order... as shown below

• In the panel that appears arrange the services by dragging them to the desired order, for example:

• Click OK, then Apply

The system will attempt to utilise services in the order that you specified above. If a service is not available (e.g. cable disconnected, no network available) it will fall back to the next service, if any, until a valid service is found, or alternatively all services fail.