If you have explicitly denied an IP or host on your ProxySG it is still possible that the proxy will attempt to go retrieve information from that site. The ProxySG however will not deliver that content to a client. The reason for this is as follows:

If you request a site that has an embedded object that lies on the IP or host that you have blocked the SG will pipeline that original request and send packets to fetch objects from the blocked site even though it is denied on the ProxySG. Once the site is assembled in the pipeline request policy is executed and the object is denied and not sent to the client. However as stated, the ProxySG did go out and fetch that object. Another way to state this is, in a pipeline we do not process policy until after the complete site is fetched.

If you would like to stop this behavior you need to disable "Pipeline embedded objects in client request" option under in the ProxySG GUI under Proxy Settings -> HTTP Proxy -> Acceleration Profile. This is a global option.

If you want to stop this for only one site you need to use CPL to accomplish this. A deny rule in a cache layer will stop the packets from being sent out. For example:

<Cache> 
url.address=1.2.3.4 exception(content_filter_denied)

Will stop the ProxySG from pipeline embedded objects for IP 1.2.3.4