Web Proxy Policy


I'm using Sophos XG virtual appliance and trying to add users as exclusions for the Web Proxy - Transparent mode (Direct Mode off). If Anybody is used, policy is doing the job and blocking .exe files (as example). But i need that some users to be able to download them. So i have created two groups (imported from AD),one is Restricted and the second Relaxed. Restricted is assigned to Risky downloads and  Relaxed to Suspicious. From this point it seems that there's no effect from policy, users can download .exe. etc. Web Policy is assigned to LAN to WAN firewall rule LAN / ANY as source and service, WAN / ANY as destination and service. Web enabled settings for the firewall policy: Scan HTTP and decrypted HTTPS / Use web proxy instead of DPI engine / Decrypt HTTPS during web proxy filtering. Also appliance certificate is imported into users devices (Trusted Root).

Is there something else that i have to configure to make it work?

The purpose is to block internet to all users and allow only for dedicated groups and also split the internet policy restrictions between groups like the issue explained.

Thank you.

Added TAGs
[edited by: Erick Jan at 10:19 AM (GMT -7) on 21 Sep 2023]