If you enable "Use most restricted rules Policy" in Settings/filtering, then the most restrictive rules are applied. This is why when an IP address is having all blocked, and a user who is allowed logs in, the block overrides allow.
I have 2 solutions for your case and it is up to you to decide:
1- Remove the tick mark for "Use most restricted rules policy"
2- Use Groups and not username to define policies
3- Apply the block all to the IP.
4- Allow internet to the admin user (and NOT GROUP).
In this case, only policies applied to users will be applied, otherwise all is blocked.
This is because the filtering order in Websense (without the most restrictive rule applied) is as follows:
a- Policy assigned to the user.
b- Policy assigned to the IP address (computer or network) of the machine being used.
c- Policies assigned to groups the user belongs to.
d- Policies assigned to the user's domain.
e- The Default policy.
Option 2 is to give the Admin user "Password override" option.
Hope that helps.
Ehab