question about blocking user AD Windows server through Sophos Firewall

Question

Good afternoon, I have a Sophos firewall that is integrated with a Windows Server Active Directory.Can a domain user be blocked from browsing the Internet through Sophos, but allow the computer they use to download and update the operating system, and also be able to receive and send mail from their Outlook email account? . Basically it would be to block your navigation and let the rest work for you. 
 
 Thanks for help 
 
 Cheers

Raphael Alganes · Answer

Hello Alfredo, 
 You could create an allow user-based FW rule/Web Filter Rule with similar settings to the KBA below for your email domains and MS updates on top of your "Block all" FW/Web Filter Rule/ App control rule 
 Email: https://support.sophos.com/support/s/article/KBA-000004733?language=en_US 
 Win updates: https://support.sophos.com/support/s/article/KBA-000004980?language=en_US 
 Also, please note that when configuring a "Block all sites" except email/s and Windows update, you should not include CDNs on your blocklist and other necessary resources to fully load/access your allowed websites and resources.