Be VERY VERY careful doing that as the way SEP works, it can and often will block GOOD sites due to the use of AKAIMI........
IP addresses will "float" or be shared.
I've seen symantec.com blocked here because of using *.facebook.com in the firewall.
SEP resolves the IP address and blocks it............ then when they go to symantec.com, who also uses AKAIMI, they find symantec.com blocked because it now resolves to the same address but SEP has the other address, it's a mess here.
Our main provider for the State of Iowa, ICN (Iowa Communications Network) has an AKAIMI server - so on our way out, so to speak, we hit their server and guess what? I had to drop that firewall rule because SEP blocked walmart.com and bestbuy.com as well as facebook, twitter and myspace - even though I was doing it by DOMAIN.
SEP needs to be reconfigured somehow - we can't use domain blocking here but instead had to create custom IPS signatures to look into the packets for the domain names.
The kicker there is some packets are kicked out with IPS, too, because of all the ads and referrals.
Bottom line, your best bet in the company is a hardware firewall or PROXY like websense, otherwise, test the heck out of SEP before making it production - run it in log-only mode (do not block but DO log in the traffic log)

You will need to ADD only NTP for the firewall. 

I just tried to assign the brand new firewall policy to the group containing the laptops (Active Directory Assigned group), but the sub OU we want to assign it to is grayed out.  How do we make the firewall policy assignable to that specific group?

 Go to the group- hilight policies and uncheck "Inherit policies from parent group"
Or else you will have to assign the policy on the parent group it will be inherited on the child groups.

Policy is not blocking access to the website or IP address.

I created a brand new blank policy, added both the IP addresses and the dns domain names I wanted to block, moved it to the #1 position in the list of rules, assigned it to the group and created a new install package with AV/AS and NTP.
I installed the package with NTP on a test machine belonging to the group, but I can still get to the website on that machine.

 Did you reboot the machine after installing NTP. as NTP gets activated only after reboot.

 can you post the screenshot of the policy you have created..
also check this link might be helpful
http://service1.symantec.com/support/ent-security.nsf/docid/2009012915443648

 also make sure that the policy is getting applied to the client machine.. Check the policy serial no on client and the server both.

Are you sure antivirus, antispyware and NTP are all that's needed to be installed on the client?

 Yup..to be more Specific you only need Network Threat Protection bcoz that is the firewall and it is not dependent anywhere on PTP.

the only component dependent is Application and Device control you need NTP for application and device control to work.

sir vikram, why some symantec tech suggested that if you are creating a policy in application and device control it must be NTP and PTP are both installed

 B'coz Application and Device Control is dependent on NTP and it is a component of PTP
So you need both and AV & ASpy is a must component
So in short you need all features.