You can create "Domain" network objects like this:-
and this essentially means "*.windowsupdate.com". If you create domain objects for windowsupdate.com, update.windows.com, windowsupdate.microsoft.com and then put these objects into a netgroup (though I think in v8 you can specifiy multiple endpoint values) you should then be able to create a rule to control outbound access to these locations.
The Firewall doesn't have the capacity to control access by specific URLs (though you could try using SmartFilter to do this), but an outbound rule for the HTTP application to these destinations should do the job.
Hope that helps.
Phil is absolutely correct. It is important however, to understand how domain objects work. They rely on reverse DNS to work, and unfortunately reverse DNS is not always reliable. Basically what will happen is you make a connection to x.x.x.x. The firewall takes x.x.x.x and does a reverse lookup on it to find the PTR record. If the PTR record domain matches your domain object, then the traffic will be allowed (or denied).
Smartfilter is the best bet in this case. Smartfilter does not have to rely on reverse DNS, it simply looks at the URL of the request.