Block All Web Traffic/Browsing (Specific Users) Except WhiteList - XG210

Hey!  

 Need some assistance, please. 

I am running a Sophos XG210

 

I was requested to block certain users from all Web browsing/traffic except some business required sites.

I previously did something similar what I needed, adding rules to the Default Web Policy that is being applied to the default firewall rule, blocking URLs from youtube.com and facebook.com and then adding at top rules that allow access to certain users in a group via Active Directory with a whitelist containg those URLs. 

This works well.

 

I was following the same strategy but is not working creating a rule and tested adding a user to the grpInternetBlock...

but when I test it, the user can still browse and navigate internet:

 

 

Is it the best approach? What could I be doing wrong? I know I can block by mac address but I believe that would cut off everything from the machine.

 

I appreciate so much your help!