First access policy wins. It's processed from top-down.
If you haven't, adjust your identity policies to match on authenticated users first, IPs second.
Create a new access policy, place it at the top of the list.
Change Identities to Select one or more...
Change Select Identity... to the Identity Policy that matches your AD authentication. Check the Selected Groups radio button. Click groups, add the group you want to allow access with.
Click the Advanced button at the bottom of the screen. Click URL Categories. Choose the URL category you want to allow access to.
After you click OK/Submit a couple times, you should be back at the list of access policies. Click the box inside URL Categories that matches the access policy you just created.
Check the appropriate mode for that URL category (monitor, warn, block, allow, time-based, etc).
Click ok.
Apply. Test.