When an application which has server rights in Application Control starts listening to a port, Application Control automatically creates a dynamic firewall rule allowing the traffic inbound. Dynamic firewall rules are created before any rule that denies all traffic (the firewall service "All traffic") and after any other rule. It is worth noting that even if you have denied server rights of all known applications, svchost.exe still has server rights in Application Control. Svchost.exe is the host process for services that run from DLLs, so it can listen to some ports for those services.
Limiting access to a port that Application Control opens dynamically is possible by creating a rule denying traffic to that port. The rule goes automatically above the dynamic rules, and as rules are evaluated from top to bottom, the dynamic rule is no longer effective.
If you need to have total control over the rules, you may create a rule that denies all inbound TCP traffic and all inbound UDP traffic. This kind of rule goes above dynamic rules, as it does not use the firewall service "All traffic". Please note that if this is implemented, you must create rules allowing traffic through to all ports that the computer needs to listen to.
Checking the ruleset in use
When you are creating a very restrictive rule set, it is recommended that you check the active rules in the F-Secure product's local user interface. There you can also see all the dynamic rules (for the time being), and you will also get an overview of the rule set being used.