Visual Policy Manager allows you to restrict ICAP scanning based on destination URL / IP address only, but you want to restrict it based on source parameters, e.g. IP address or Active Directory group.
Note: It is NOT possible to restrict ICAP scanning based on authentication criteria (e.g. Active Directory user or group), only by IP address.
There are occasions where certain rules that cannot be created within Visual Policy Manager can be created using native CPL. This is one such occasion. The following CPL can be added either to your Local Policy or to a CPL Layer in Visual Policy Manager.
;; Modify NoScanList accordingly
;; Only devices NOT in NoScanList will be ICAP scanned
;; Do not cache these objects