Configure Windows Firewall to block all except for specific traffic

I see there are three policies - public/private/domain. I've been making the same setting changes to each one, though I only have a single NIC and its assigned the domain policy.

As an aside, making changes to the firewall policies for public and private won't have any effect as long as your NIC is still using the Domain network profile.

According to this documentation the allow rules are supposed to take precedence over default rules. I want to set my default rule to block all traffic and only allow certain traffic with allow rules.

You are doing this the hard way. The default policy of the Domain profile implements a default deny ingress policy and a default allow egress (i.e, Inbound connections are blocked and Outbound connections are allowed.) If you've changed these defaults you can set them back in the Windows Firewall Properties dialog.

Then to enable ICMP traffic enable the following two allow rules:

   File and Printer Sharing (Echo Request - ICMPv4-In)
   File and Printer Sharing (Echo Request - ICMPv6-In)

When you have more then one rule matching your traffic, the Block one will have precedence.

Unless you select Override Block Rules option in your Allow rule.

Also, when using a Block all connection rule, the Override option won't work.

Sorry, I just re-read the documentation.

In a Nutshell, I believe what you are hopping to achieve is not quite possible with Windows Firewall.

Unfortunately, it doesn't work like network firewalls. I.e. read rules from top to bottom and use the first that match.

I you have rules with both Allow and Block that will match traffic, then it will Block.

Rules Action Explained

Where to find Override block rules