I talked to support and this configuration is simply not possible, and I'm not the only person asking for it, so I predict we'll have this capability in the near future.
Now, we did cook up an idea to use whitelisting and a blocking rule that might work. I'm testing it now, and I will post results soon.
We solved this by relying on FQDN (fully qualified domain name).
1) Create a Web Destination that includes your companies domain name(s).
2) Uncheck these entries.
3) Check the "Other web server" entry.
Using this Web Destination, we can create Web Post Protection Rules that only apply to Internet domains.
Of course, if a user visits http://intranetsite instead of http://intranetsite.domain.net, this method won't be effective. We're using this setup to block traffic... so if the request doesn't contain the FQDN, the user doesn't get access at all.
Interesting solution, and I can see where someone attempting to "circumvent security" by using a server name would be blocked. I like that. Have you played with the white list yet? My only concern about the whitelist is that it may not monitor activity, but we'll find out tomorrow.
Have we found any workaround or any feature addition to DLP around this issue as of now? My requirement is exactly the same as that of BionicSE. however, the solution provided by sprairie would not work in our environment as we block users from using the servername to access the link.
So is there a way that we can whitelist local / custom application?