User can access blocked sites even though KM disallows access using a Firewall deny rule. For example: Chrome cannot block access to "facebook.com" when the policy is set as below:
The behavior follows addDomainFilterRule API's concept.
As per the description, an administrator can apply a rule for a specific application or for all applications at once (using FIREWALL_ALL_PACKAGES). If a rule with FIREWALL_ALL_PACKAGES value is already in the database and a rule is added with a specific application, the general one will not be considered to resolve the domain access enforcement for this specific application.
For a browser-specific application, block every site on every browser and allow specific sites on one browser only. IT admins will have to add more prohibited policies for Chrome. If the application has a Permitted policy(Domain), the app has to add a prohibited policy(Domain) as well.