Web Security Service (ThreatPulse)
There is a scenario where Block Categories in the G4 policy row overrides all Allow rules above the list. This occurs only when the SSL Interception is set as Disable and the site is HTTPS; HTTP sites are not blocked.
The ThreatPulse policy is not able to determine category by its URL because with HTTPS/SSL the URL is known only after the SSL handshake.
For security reasons, this is the expected behavior.