Well, some firewalls prioritize the allows over the denies, I'd get the feeling Little Snitch doesn't. Try blocking all web access, allow a browser to, and see what the browser can do.
And yes, it does rule. IPFW plus LittleSnitch beats all the buggy firewalls on Windows easily....ISTR Linux has an extension that needs to be compiled in the kernel for an application level firewall, kexts are apparently handy for that on OS X.