This means that any application running on the computer can send any traffic from the computer through any port to any device on the network or the internet. This also means that any device on the network or the internet can send traffic through any port on the computer.
Let's deal with that notion first...
Getting traffic on the internet over TCP/IP is kinda like sending post (with a few inconsistencies) to an apartment block. The IP address maps to the address of the apartment block and the TCP port to the apartment number in the building.
In order to send a packet to this address, you must first own an apartment in real life so you have a return address. Then, you try posting your parcel.
If nobody lives in that apartment, your package won't be received. It'll be left in the lobby with the porter and probably abandoned. The same is true of TCP ports - if there's no application listening (or "bound") to the port, the OS won't pass it into an application. However, the porter (the OS) does indeed handle that packet, if only briefly. Bugs in the porter are quite serious.
Now, in reality, just like with post, it's not as simple as you put your packet into the post and it comes out the other end. When you post your packet, your local post service take it so far, look up some information and work out which postal service to pass it on to (think international post).
Now we need to get a bit complicated. Suppose the person you want to post to works in a university building on a campus. Postal services don't deliver there; instead, they deliver to the porter in the main building; he then devices where to direct that package. This is a microcosm of the routing situation I alluded to above and is analogous to NAT.
So so far, we've learned that you can't always get packages to the requisite address, and you need someone there to receive them in the first place.
When the firewall gets switched on, every port is closed (as in inbound and outbound traffic on every port is blocked) unless the user specifically opens one, or Windows UAC indicates to the user that a particular port on the firewall needs opened for an application to run (this usually happens when an application is being installed). In this scenario the user clicks yes and Windows configures the firewall to allow the application to function properly on their behalf.
Nope. They're only open if there's someone at home with the light on. Otherwise, the porter looks at the package and says "who dis?" before promptly binning it (putting it the trash, if you're American).
So there we have it. If the firewall is off, every port is open and any application running on the computer can send and receive data through any port if it is designed to do so. Also any device that can connect to the computer (as a rule of thumb any device that can ping the computer) can send data through any port. Also, turning the firewall makes everything nice and secure right?
Well... in a very, very simplistic way, yes, kind of.
See, in truth, it is possible that the person living at the address you're posting to just doesn't like you very much. It's nothing personal, they've just never met you. So they don't open your package either, having had a quick peek at the sender. Many applications, e.g. webservers can direct traffic based on its incoming parameters. A common example is the HTTP HOST: header.
So, now let's fit Windows Firewall into our analogy. Windows Firewall is basically a Porter with a degree from MIT. He looks at the incoming packages and knows about people living in the various apartments. He has a list of rules which he can check recipients against - for example, he might allow Fred to receive packages from anyone on his street, or town, but not from France. How exactly he does this really depends on how he is instructed by whoever owns the building.
That is, in essence, how a firewall works. It does control what ports are open and closed and may do additional filtering based on packet destinations, sources, ports and even contents. However, the on/off idea isn't quite there. It's nowhere near that simple.
To explain, let's assume Fred and George live on the same street. George doesn't like Fred very much, because Fred uses a Mac (or your own stupid reason of choice in here. I just don't like Macs). So George decides to send Fred a stinkbomb.
Fred's porter has a rule that says if anyone wants to send something and they live on the same street, then Fred should be sent the packet. So George posts his package and next thing you know there's a smell of rotten eggs in Fred's flat.
I realise that's not the sort of IT professional-speak, so let's put it another way - your firewall only protects you according to the rules you have allowed. However, if one of those allowed rules gives an attacker a way to exploit your system, and the attacker does, the presence of the firewall will not help. This is true of Windows firewall as much as any other firewall.
