If you control DeviceTcp, DeviceUdp, DeviceIp, DeviceRawIp and DeviceMULTICAST then you have complete control over application’s (IE, ICQ, Outlook and etc…) access to the MS TCP/IP network stack. Under control I mean ability to block any network activity (create socket, listen port, connect remote host and et…). Is that your question?
But this does not mean that you control all network activity of the system, because it may have another network protocols installed (IPv6 an example). But even without installing additional protocols, control over TDI is not the same as control over network. If you try to block the network with your TDI filter then MS TCP/IP still continue packet routing, it still replies ICMP ping, network file and folder sharing still works and etc… This is because mentioned network activities never reach TDI level.
I hope I’ve answered your question…