I think if you block port 443 in such a way that a client sees it closed like any other non-HTTPS website, and the user has never been to the requested site before on that browser (to avoid HSTS being in effect), and they omit a scheme when typing the URL into the address bar, then the browser will make an unencrypted request and render the unencrypted response. However, popular browsers these days will add a "not secure" note near the address bar (where historically it would've had no such indication besides lack of padlock) and they'll try https first before falling back to http (but no fallback in the case of cached HSTS info from a prior visit).