Release : 1.14.50

Having investigated, we can confirm that this is expected behavior, with the non-browser applications. From the activity logs shared, we see that the URL host points to the zoom application.

Please note that this is linked with "Authentication Caching". With authentication caching, a user using a browser or an application that supports proxy authentication is able to authenticate, but a non-browser application that does not support proxy authentication has no means to offer credentials and authenticate. When Authentication Caching is selected, and the user has accessed the Internet with approved credentials, Symantec Threat Isolation caches the username related to the IP address and authenticates all applications from this IP, based on the user.

With the "Without Identity (for example, when users are behind a NAT device)" authentication caching selected, using any username authenticated from the source IP, the non-browser application authenticates anonymously (for example, behind a NAT device). The user cannot be identified in the activity logs. When Symantec Threat Isolation uses this mode, authentication is cached for seven days. This is what has happened in the case of the zoom traffic. See the actual config settings in the snippet below.

When this happens, the policy simply does not apply and the action would be a "block". Implementing authentication caching in the policy rule, as shown above, would ensure that the non-browser application would authenticate anonymously.