A TCP_DENIED error page is returned instead of a CONTENT_FILTER_DENIED error page
If you use DENY as your action in your content filter policy entry you will get the TCP_DENIED error page. The TCP_DENIED error page will also result if the request matched any entry in the policy with a DENY action. If the site is denied, then the content filtering rule will not be matched.
Example #1: The following policy will NOT yield a content filter exception page since the action DENY is associated with the error page 'TCP_DENIED'
Example #2: The following policy will NOT yield a content filter exception page for any user in the subnet 10.2.3.0 because the user has been denied in making ANY request so content filtering is irrelevant. All others would get the CONTENT_FILTER_DENIED exception page.