Symantec support contacted me regarding my case and indicated that the firewall and IPS are required as indicated in this discussion.
I began to think maybe my tests were not done correctly so I repeated my test descibed above in a clean environment this morning. Two new systems with fresh OS loads, new SEP installs. Same results!
First Test (The client interface user control settings for these clients were set to server control. Display IPS notifications was unchecked)
I mapped a drive from client A to client B. Disabled Auto-Protect on client A. Copied an eicar.com file from client A to client B. Client B presented an auto-protect notification that it blocked eicar.com. Checked the AV and security logs on client. AV log recorded source IP address and the security log recorded an IPS log about the event. Checked SEPM and the same logs are shown as well.
Second Test (The client interface user control settings for these clients were set to mixed control. Contol settings set to client for IPS and Firewall features. Client user interface options greyed out but checked to display IPS notifications.)
I mapped a drive from client A to client B. Disabled Auto-Protect on client A. Copied an eicar.com file from client A to client B. Client B presented an auto-protect notification that it blocked eicar.com. A few seconds later I received a balloon notification from SEP indicating that the remote IP address of the attacker had been blocked for 10 minutes. Checked the AV and security logs on client. AV log recorded source IP address and the security log recorded an IPS log about the event as well as an active response log. Checked SEPM and the same logs are shown as well.
Conclusion
The Risk Tracer feature in SEPv11 appears to work the same as SAV10. It doesnt require the firewall or IPS active response. I would classify this as reactive/reporting mode since Risk Tracer is only providing source IP in a report and is not actively taking action.
When the firewall and IPS "active response" are enabled the IPS will automatically block the source IP address discovered by Risk Tracer. I would classify this as proactive/real-time response mode. The Risk Tracer logs are also availabe as well. This can be done is SAV10 as well but the SEPv11 IPS may be more enhanced with this feature.
I've asked Symantec support to forward this to an engineer to confirm my findings. This is a very easy test to repeat. Once confirmed by Symantec I believe the information regarding Risk Tracer should be updated to reflect the above information.