Whether you've used an automatic ICAP configuration with the Malware Scanning option in SGOS 6.x, or manually configured an ICAP response modification rule in the VPM, you may find that your organization needs to exempt specific destinations from ICAP scanning. If a destination URL, category, or file type is trusted, you can configure policy to negate it from being scanned.

Scanning exemption polices are implemented only from the Web Content layer and based only on "Destination" & "Action" objects. The "Track" objects is utilized for policy trace.

A Web Access Source Object, like the IP Source, etc., cannot be used, by design.

Note: The web content layer only allows exemptions based on destinations. To make an exemption based on source, use a web access layer instead of a web content layer.

Ref.: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/content-analysis/3-0/sg-introduction/communication/SG_ICAP_config/SG_ICAP_config_ICAP_exepmtion_policy.html 

Note: The web content layer only allows exemptions based on destinations. To make an exemption based on source, use a web access layer instead of a web content layer. Using a Web Access layer, where a desired IP Source is referenced in the source object of the rule, the "Perform Request Analysis" action object would be used, as shown in the snippet below.