Server protection web control - How to block with exceptions

This isn't really an option. I suppose in the web site list you can create an allow tag for the sites you want, then block all categories including unclassified.  Does this work?

Actually there is no option, or I couldn't find it, to block unclassified traffic. 

Blocking so much, I would be mindful of the sheer number of events.

There is the option:

Log web control events- All attempts to visit blocked sites along with warnings and proceeding through warnings will be logged and visible in reports.

Regards.

Actually the screen you're showing appears for endpoint not for servers

The screenshot provided above works is for Web control policy which looks the same for servers and for endpoints. The difference is that Web control for endpoints is a User-based policy only - you cannot make it device-specific, but Server web control policy is only device-specific. Web control is not designed to block everything but to limit what can be accessed for that one machine.

As a workaround, you can create a new Web control policy, assign it to the desired server, confirm that the policy is enforced. Populate a list of resources in Global settings -> Website management with a tag, then as  Sophos User930  mentioned block all categories and allow everything tagged. If this for some reason doesn't fit your requirements, then your best bet is to set up access through web appliance\firewall.