No, Your policy schema should be robust enough that you should never need more then a few simple policies to police even the most complex network.
For Example ... when I create policy it looks something like this...
Under authentication: configuration / system / authentication / default settings
Authenticate using:
Single sign on
click SSO for MAC if required.
do not check off authenticate all requests
captive portal.
leave this un-checked
On authentication failure
block access
This will block access for anyone who has an IP on your network that can not be authenticated.
configuration / group policy / default policy
Pick an array of categories that "normal" people will have.. in short anyone with an ip that has authenticated. Note: do not set them all to block, this will cause you a world of hurrt
do the same for file types, for the most part everything should be allow.
configuration / group policy / additional policies
add:
(for a demo purpose - under select users pick the accounting group)
move them to the selected entries..
then
skip every tab until you get to the TAGS ..
add
name: ALLOW action Allow .. click add.
under name and schedule, check off "turn on this policy for machines connecting anywhere"
give it the name ALLOW
save it
Do the same thing and set it to BLOCK , for this example select the group HR
Now that you have an allow and block tag, set up your ad groups.
the purpose of these rules is to allow additional categories.
create several additional policies as needed. Ie accounting, help-desk, ceo..
Under site categories and download types , only allow ones that are blocked by the default category.
make sure you turn of the policy for machines anywhere, name them and save them.
Now you should have.
A default policy
4-5 additional policies based on AD groups.
1 Block tag (for HR)
1 Allow tag (for Accounting)
Now you're ready to create a local site list:
Lets suppose your company policy blocks facebook
Your default policy would be set to block dating and personals.
none of your other additional policies over ride that block.
But lets suppose accountants should be able to go there.
create a local site list entry for facebook.com
under modify site properties, select the drop down and pick the ALLOW tag.
now you have a policy that will allow accounting to only facebook and block everyone else, and you need is a lsl entry with a tag.
another example:
Suppose you are a school, you can make an ALLOW-Teachers tag, and a BLOCK-Students tag.
now you can create a local site list entry and apply both a block and an allow tag for the same site.
You could also create ALLOW/BLOCK tags based on IP ranges, you could create a special AD group, or you could pick and choose users.
The final word...
Imagine your mining rocks.. the scoop grabs a ton of dirt and drops it into a screen ... the first screen caches the big rocks.. smaller rocks fall through to the next screen and so on.. Policy works exactly the same way.. You don't make policy that dictates what everyone can or cannot do.. you make policy to override the default.
