In 6 words, CIS/CAV is not for the novice user. It's not for a big portion of experienced users too as it's very annoying for an AV to interfere with non malicious programs and sandbox them. Also, it's known to have lots of bugs.
If you want that default deny behaviour, you can use Avast and enable Aggressive Mode so that unkwown apps will be blocked (or moderate for suspicious apps). Someone will say it's just a blocker mechanism and CIS offers stages of restriction. But who's sure if an app will run correctly when it's autosandboxed by CIS?
Firewall? If you are home, use windows firewall and router firewall and you 'll be ok.
If not, privatefirewall is a goog and light third party alternative to add if you want more control than with Windows firewall.