You are trying to deny access to a specific URL but it doesn't seem to match, no matter how you configure rules in VPM. The URL contains a script with a query string (often recognizable by a question mark in the URL string).
The reason is that we only evaluate the actual resource. So for example let's take this URL:
If you use a regular or even advanced match for "mp3" the rule will always be missed. This is because the actual resource is http://www.testdomain.com/download.php (everything hereafter is the query substring).
In order to write policy while taking into account the query string, we have to write CPL code. Assuming we want to deny downloading the mp3 file, the CPL code is as follows:
This operation is not available in VPM but only via CPL. So you can either insert a CPL Layer in VPM (provided you are running an SGOS version that allows you to add a CPL layer) or you can add it to your local policy file.