We would like to block proxy access to the Internet for a group of workstations and servers based on AD Group membership. Is this possible? If not, what is the best approach to blocking Internet access for specific Windows workstations and servers?
Yes you can block all access based on AD group, to do this:
1. enable authentication in the WSA (creating authentication realm and join to domain)
2. Create Identity and enable authentication in the Identity by selecting the authentication realm you just created and also select the authentication surrogate for it.
3. Create policies (Access Policy for HTTP and Decryption policy for HTTPS - of HTTPS proxy is enabled) and use the Identity that you just created and select specific AD group for that policy.
4. Then in that policy you can set the level of access based on the pre-define categories or custom categories or you can set all block.
The other way to do this if you do not want to enable authentication in the appliance or based on AD groups and if you know the IP addresses or subnet for the specific windows workstations and servers. You can create Identity and enter the members by subnets for the IP addresses or subnets, then create policy for that Identity to block all access.
We are looking to do something similar for a few PCs that will have static IPs so I would probably use the method without authentication. However, would there be a way to create a policy that would allow access for updates (ex. Windows Updates, etc.) but block all other internet access?
you can create a custom URL category for windows updates and put such as .windows.com, .windowsupdate.com or any domain that windows updates are using.
Then include that custom url category to your policy and set it to allow while all other predefine categories set to block.