There are many ways to do what you describe. Here is one of them:
On the ones that have both an allow and block, that is because you did not specify what you wanted to do with Uncategorized sites. I am assuming you want to allow anything not categorized for Guests and Group 3. By putting the Allow (not blocked really) it will prevent getting to the Block Everything at the bottom.
You also didn't specify if there is ever a case when a user might be in two groups. I assumed they would not be in this example. The rules would be different if you are members of multiple groups and you would have to decide which group took precedence.
Thanks for your reply and helping me on this. I've sent you the backup file as requested. I feel I'm very close to what I need. I tried to create rules using your help. Would you please check attached snapshots and let me know what why it’s not working?
Here's the access.log entry:
[05/Aug/2010:05:36:06 -0600] "" 192.168.110.24 403 "GET http://www.google.com/ HTTP/1.1" "" - "" 0 "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4" "" "10"
Yes, there would be users in multiple Active Directory groups. I wanted to create simpler rules first.
I was searching the community pages and this https://community.mcafee.com/message/135128 thread helped a lot.
My simple rule (earlier post) worked and I think I can create more rules mapped with other Active Directory groups. Please check attached snapshots to see how I did it.
I will try to add users in multiple AD groups and waiting for your tips on this.
I solved my problems with users in multiple AD groups in this fashion
As you can see I have a different filter for the "CIU" & "Admins" Groups and also the "Kiosk" user. These are followed by a filter for the "Domain Users" (which I called Default Deland Group). In order to keep users in the CIU & Admins groups for getting the Default DeLand Group's (the most strict policy) filter, I created a set of Criteria to be met in order for the Default Deland Group's filter to be applied.
So, basically the Domain Users (Default DeLand Policy) is applied as long as the user is in the Domain Users group, but not in the CIU or Admins groups and also not the Kiosk user.
Hope that helps