I have also denied "Internet In". Certainly Generic Host. Allowing it server right is a security risk.
Kerio gets time update from time server to local port 123 UDP cause it uses statefull packet inspection for UDP (Kerio 4.2.2 and a few earlier ones too do that).
So even though it is blocked, that statefull thing allows it to happen
Sygate firewall needs an advanced rule to svchost.exe for that, but not Kerio.
My Kerio setup is very tight. From Network/Predefined's I allow only default ICMP ping rules. I use those instead BZ ICMP rules, cause Kerio seems to have them tighter inbound.
Today thanks to sded, I got the one last missing rule from Blitzen Zeus's ruleset that I thought could not be implemented with KPF 4:
http://www.broadbandreports.com/forum/remark,14826751