Microsoft Knowledge Base Article 811832 contains the following summary:
The Internet Protocol Security (IPsec) feature in Windows
Windows XP and Windows Server 2003 was not designed as a full-featured
It was designed to provide basic permit and block
filtering by using address,
protocol and port information in network packets.
IPsec was also designed as an administrative tool to enhance the security of
communications in a way that is transparent to the programs.
Because of this,
it provides traffic filtering that is necessary to negotiate security for IPsec
transport mode or IPsec tunnel mode,
primarily for intranet environments where
machine trust was available from the Kerberos service or for specific paths
across the Internet where public key infrastructure (PKI) digital certificates
can be used.
The default exemptions to IPsec policy filters are documented in the Microsoft Windows 2000 and Microsoft Windows XP online help. These filters make it possible for Internet Key Exchange (IKE) and Kerberos to function. The filters also make it possible for the network Quality of Service (QoS) to be signaled (RSVP) when the data traffic is secured by IPsec, and for traffic that IPsec might not secure such as multicast and broadcast traffic. For additional information about these filters, click the following article number to view the article in the Microsoft Knowledge Base:
253169 Traffic That Can--and Cannot--Be Secured by IPSec