I've got an excellent question recently: Which switching path is used in Zone-based firewalls when a packet is dropped? As usual, IOS documentation was not very helpful (which is understandable as the answer might depend on hardware platform, interface encapsulation, other features configured on the router etc.). However, there is a great tool to use - the show interface stats command.
The show interface stats command displays the number of packets switched per switching mechanism (unfortunately, CEF is lumped together with fast switching). This command thus helps us to figure out if the packets are process switched. The show cef not-cef-switched command displays all packets punted from CEF to other switching mechanisms, so together they give us a pretty strong indication of what's going on.
To answer the question, I've configured a test lab router as follows:
class-map type inspect match-all ICMP
match protocol icmp
policy-map type inspect InToOut
class type inspect ICMP
zone security inside
zone security outside
zone-pair security InToOut source inside destination outside
service-policy type inspect InToOut
ip address 10.0.0.1 255.255.255.0
zone-member security inside
interface Serial0/0/0.100 point-to-point
description Link to the Internet
ip address 192.168.201.6 255.255.255.252
zone-member security outside
Note: it's best to perform these tests in very "quiet" and controlled environment to ensure the statistics are not skewed by other traffic.
I've started a continuous ping on a LAN-attached workstation (as expected, all pings failed), cleared the interface counters on the router and took a snapshot of them a while later. The counter values clearly indicate that the dropped packets are not process-switched.
*Dec 15 18:14:28: %FW-6-DROP_PKT: Dropping icmp pkt 10.0.0.2:8 =>
172.16.0.1:0 with ip ident 17758 due to DROP action found in policy-map
fw#show interface FastEthernet0/0 stats
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 4 553 10 919
Route cache 32 2368 0 0
Total 36 2921 10 919
fw#show cef not-cef-switched
CEF Packets passed on to next switching layer
Slot No_adj No_encap Unsupp'ted Redirect Receive Options Access Frag
RP 0 0 0 0 0 0 0 0