Enforcement order

Multiple criteria, applied in a specific order, are used to determine whether to permit, block, or limit requested Internet data.

For each request, web protection components:

  1. Verify subscription compliance, making sure that the subscription is current.
  2. Determine which exception or policy applies, searching in this order:
    • On-premises software (Filtering Service):
      1. Policy or exceptions assigned to the user
      2. Policy or exceptions assigned to the IP address (computer or network) of the machine being used
      3. Policies or exceptions assigned to groups the user belongs to
      4. Policies or exceptions assigned to the user’s domain (OU)
      5. The Default policy
        Note: You can configure Filtering Service to prioritize group and domain-based policies over IP address-based policies, if needed. See Prioritizing group and domain policies.
    • For users whose requests are managed by the hybrid service:
      1. Policy or exceptions assigned to the user
      2. Policy or exceptions assigned to groups the user belongs to
      3. Policy or exceptions assigned to the user’s domain (OU)
      4. Policy or exceptions assigned to the external IP address (filtered location) from which the request originates
      5. The Default policy

    The first applicable exception or policy found is used.

  3. Filter the request according to the exception or policy’s restrictions.

In some cases, a user belongs to more than one group or domain, and no higher- priority policy applies. In these cases, web protection components check the policies assigned to each of the user’s groups.

  • If all the groups have the same policy, web protection software enforces that policy.
  • If one of the groups has a different policy, web protection software uses the Use most restrictive group policy selection on the Settings > General > Filtering page to determine which policy to enforce.
    • If Use most restrictive group policy is checked, and any of the applicable policies blocks access to the requested category, the site is blocked.
    • If the option is not checked, and any of the applicable policies permits access to the requested category, the site is permitted.

    If one of the applicable policies enforces a limited access filter, the Use most restrictive group policy option can have different effects than expected. See Limited access filters and enforcement order.

  • If one of the groups has a different policy, and any of the potentially applicable policies enforces file type blocking, the file type blocking settings are not considered.