User can access to blocked site. Even though KM disallows access using a Firewall deny rule. For example: Chrome can't block to access "facebook.com" when the policy is set like below.
The behavior is following addDomainFilterRule API's concept.
As per the description, an administrator can apply a rule for a specific application or for all applications at once (using FIREWALL_ALL_PACKAGES). If a rule with FIREWALL_ALL_PACKAGES value is already in database and a rule is added with a specific application, the general one will not be considered to resolve the domain access enforcement for this specific application.
Block every site on every browser and allow specific sites on Chrome only. IT admins will have to add more prohibited policies for Chrome. If the application has a Permitted policy(Domain) , the app has to add a prohibited policy(Domain) as well.
[Related Articles*] – TM17B0A5