Question : Websense - Block Internet Access - Except for Updates

We are currently using Websense’s webfilter v.7.  I would like to prevent internet access from a terminal server for everyone except domain admins.  

But it looks like the policy that prevents internet access is taking a priority over the policy that allows full access for the security group that holds domain admins.

So the terminal server is blocked by its IP address.  The category filter is set to limited access only allowing access to specified sites (no sites specified to block all internet access).  The protocol filter is set to monitor only.

Domain admins should have full access as the targeted security group’s category filter has no blocked categories and the protocol filter is set to allow all protocols.

How do you block all internet access on a given machine yet allow full internet access for a given security group?

Answer : Websense - Block Internet Access - Except for Updates

If you enable "Use most restricted rules Policy" in Settings/filtering, then the most restrictive rules are applied. This is why when an IP address is having all blocked, and a user who is allowed logs in, the block overrides allow.

I have 2 solutions for your case and it is up to you to decide:

1- Remove the tick mark for "Use most restricted rules policy"
2- Use Groups and not username to define policies
3- Apply the block all to the IP.
4- Allow internet to the admin user (and NOT GROUP).
In this case, only policies applied to users will be applied, otherwise all is blocked.
This is because the filtering order in Websense (without the most restrictive rule applied) is as follows:
a- Policy assigned to the user.
b- Policy assigned to the IP address (computer or network) of the machine being used.
c- Policies assigned to groups the user belongs to.
d- Policies assigned to the user's domain.
e- The Default policy.

Option 2 is to give the Admin user "Password override" option.

Hope that helps.

Ehab