It is a bit of a hassle, but we had to reorder our access policies thinking in a top down approach as well.

Also you can create AD global security groups specifically for Internet access if you'd like.  Prefix it with something that makes sense so they are all together in AD.  We use IG-  (IG stands for Internet Group).  So we have AD groups called IG-RestrictedInternet or IG-SocialMedia.

If your in Restricted intenret, your totally restricted  except for a few sites we allow.  If your not in a group you have general internet access except for time wasting stuff like facebook.  If your in IG-SocialMedia then you have all the general internet access PLUS social media like facebook, linkedin, etc...  This is usually given to marketing or HR people.

So while annoying, there are ways to think about how to handle this.  I can see your point say you are a Manager of the marketing department. Well you might be in an AD group for marketing as well as an AD group for management.  In this case our Management policy would come above the marketing policy.  So if your not doing specific groups then you can just order them by employee position hierarchy with usually management / hr on top.

I guess part of my issue is that when you set up the access policies you have to specify actions for each category. If WSA also was additive that would help. In my case we have users from multiple departments that have access to say Facebook but some of them also may have access to say web mail so if they match the Facebook policy first 1) the users that also are allowed access to web mail won't have access to web mail because the policy denies it or 2) everyone will have access that matches this policy because I had to allow access.

I haven't found a way to get around this in the WSA configuration.