Seems like that is exactly how it works.
Correct. We had to use this as an option due to how an application opened documents locally. It would open a connection to the local machine's IP, not localhost, on a specific port. We added the port as allowed for connections within local subnet and was able to get around the issue.
To create a loopback rule for applications that use the public IP address instead of the 127.0.0.1 address i would suggest using the option "Any Local IP" for both local and remote networks. this limits traffic to and from the local system only and not from the entire subnet.