You notice that when using Web Prevent, the HTTP incident includes the sender in the format of WinNT://domain/username (which reflects a Windows username).
Therefore trying to utilize a rule based on Sender Match Pattern does not work as expected.

The domain\username is actually sent in the username attribute, so the Sender Match Pattern will work based on the sender-email (like SMTP incidents).

Detection ignores the "WinNT://" portion of the sender field. Thus to get this to work you can do the following: 

1. Create a CSV file with the email address column containing "domain/username"
2. Create an EDM profile using the CSV file and index the email address field as "email".
3. Modify the WebPrevent Directory Group Match policy adding the DGM in the GROUPS tab.