Was about to submit a case once I noticed previously blocked WLAN clients again appearing on a WLAN! Then realised that it was because I had changed the network type to autonomous - so obviously the client MAC addresses were not being checked with the ZD! I wonder what other effects this has? Device policies ignored? Rate restrictions ignored? I mean, blocking being ignored is pretty serious.
I don't know that it's actually a fault as such... Seems to make sense that if a WLAN is autonomous from the Zone Director that it won't check policies held in the ZD. It's really just a warning I posted, rather than a complaint - but worth sharing "my" mistake so others don't make it.
Have noticed (since changing the WLAN back to Standard) that the supposedly "blocked device" is now caught in a trap of "failing authentication too many times" - so that's not normal behavious for a blocked device either.