Microsoft Knowledge Base Article 810207 contains the following summary:
The Internet Protocol Security (IPsec) feature in Windows
Server 2003 was not designed as a full-featured host-based firewall.
It was
designed to provide basic permit and block filtering using address,
protocol
and port information in network packets.
IPsec was also designed as an
administrative tool to enhance the security of communications in a way that is
transparent to the programs.
Because of this,
it provides traffic filtering
that is necessary to negotiate security for IPsec transport mode or IPsec
tunnel mode,
primarily for intranet environments where machine trust was
available from the Kerberos service or for specific paths across the Internet
where public key infrastructure (PKI) digital certificates can be
used.
The default exemptions to IPsec policy filters are documented in
the Microsoft Windows 2000 and Microsoft Windows XP Help.
These filters make it
possible for Internet Key Exchange (IKE) and Kerberos to function.
The filters
also make it possible for the network Quality of Service(QoS) to be signaled
(RSVP) when the data traffic is secured by IPsec,
and for traffic that IPsec
cannot secure such as multicast and broadcast traffic.
For additional information about these filters, click the following article number to view the article in the Microsoft Knowledge Base:
253169 Traffic that can--and cannot--be secured by IPSec