@samebchase @Sqaaakoi @i_lost_my_bagel I've asked a network engineer friend to make sure, and this is how it works:

While active, port 16992 cannot be used by the OS because the IME intercepts all communications to it.

If the OS can access the IME over localhost:16992 then it's because the OS has a passthrough driver.

Generally the right way to do things is to allocate a separate address for the IME rather than use the same address as the OS. This frees the port on the OS and ensues there won't be any conflict with anything that tries to grab it. Apparently the IME can have its own MAC address via internal bridging on the NIC.

If for whatever reason you can't disable the IME and/or its webserver you can take it off the network by using your own PCI network card instead of the built-in one. The IME should not be able to access the network card that isn't part of the chipset, effectively isolating it.

Some corporate networks use that approach for extra security: Connect the IME to an internal management-only network via the built-in ethernet chipset, and a PCI card for actual work network access.