I understand what you are saying, I would expect the uTorrent port to not be accessible remotely in that situation as well.
Maybe part of the confusion could be in the difference the implicit behavior the SEP firewall uses between the Local/Remote and Source/Destination designations. Notice how the article mentions “If the Source/Destination option were selected, all inbound traffic would be allowed”. I don’t know if you’re using the default Local/Remote setting but that could possibly present a source of confusing results. If you go to page 445 of the Admin Guide, like the article mentions, it explains the difference between the two methods pretty well (note this is the RU5 admin guide version not RU6A).
But I would rather not rely on implicit behavior of the Local/Remote being outbound only and Source/Destination being inbound. For me, that is too “automated” when working with something like a firewall. I prefer to explicitly define the traffic patterns in the rule set rather than trusting implicit behavior. This is also a best practice to add a rule blocking all traffic in both directions at the bottom rather than relying on an implicit deny all like in a Cisco ACL (as the default firewall rule correctly does). This is perhaps more management overhead but for me it is more clear and there is less chance of a confusing traffic situation happening, like the uTorrent thing.
When working with the SEP firewall I find the Local/Remote concept to make sense overall but, coming from a typical perimeter firewall background, for me it is more intuitive and less prone to error to standardize everything on Source/Destination.
So my recommendation would be to ditch the default firewall policy, create a new firewall policy to use as a base, and make copies of the base as needed to add traffic based on your needs. The base policy could have a “block all” rule at the bottom, an “allow IP outgoing” rule above that, and a “block IP incoming” rule at the top. The stateful firewall will allow all applications like web browsers and email clients to work, and you can add other “allows” near the top for remote access, icmp, etc. Many of the default firewall rules can be copied to your new policy like the ping, IPv6 stuff and fragmented packets.
Hope this helps.