Users are able to access sites that are blocked in the Content Filtering policy in WSS.
Access Method is: WSS Agent (WSSA)
"Selective Intercept" is enabled in the Portal at:
Connectivity -> Locations -> Agent Configuration -> Selective Intercept
Disabling "Selective Intercept" resolved the issue.
The customer had previously enabled the "Selective Intercept" radio button, but wasn't sure what the feature did.
By enabling Selective Intercept, you change the behavior of the WSSA client.
Normal (default) mode for WSSA is to send all port 80/443 traffic to the WSS service...expect for the IP's and domains in the Bypass List.
If you enable Selective Intercept, then you change the behavior of the WSSA client to send NO TRAFFIC, expect for CASB traffic or traffic that is explicitly sent to ep.threatpulse.net:80 in a Pac file.
For more details, see the docs on the new Selective Intercept feature