I think the problem here is the SEP firewall does not see the actual website but it see's the proxy instead. In my experience with this, he will not be able to block certain sites while allowing others. This is why I could never use the SEP fw to block sites.
When I browse out to example.com, my log will show my proxy address, not example.com. So if I created a rule to block example.com, it wouldn't work and I would be able to browse to it just fine. Now, if I block my proxy address, than it works fine, however all my Internet browsing will be blocked.
SEP fw is not proxy aware so this won't work at all. It's an all or nothing deal when it comes to proxies.
If the machine was off the internal network than these rules would work.