Yes you just have to create a group policy in your firewall rules.
This group policy can recognize your domain using suffix dns, dns,...
create a rule in this group policy with all ip trafic authorized.
Also you can use rule based to you LAN IP segment or adding to a trusted networks.
Yes, you can actually create what we term "Connection Aware Groups". You can use multiple sets of criteria in the creation of them including DNS suffix (the one assigned -- not the search order), IP range, DNS servers and a few other bits.
From there you can create a policy that allows or restricts traffic as you desire.
Realize that CAGs should be treated as whole firewall policies. And that you need some non-CAG rules to start to always allow basics (DHCP, DNS and a couple others). Please look for the firewall policy called "Typical Corporate Sample". Use it as a baseline for what you're trying to do. That was my intent when I wrote them.