Oh, that's much easier. There are a lot of posting asking how to block a group of people from sending to a couple of domains - which is hard since compliance policies trigger on entire message so you block all the reciipents.
It would seem that all you need to do is to create a policy group call BlockUsersGroup, add the blockusers e-mail addresses (manually or via LDAP lookup).
Create a couple of content policies, one for inbound and another for outbound. This is just so you can have different responses. The content policy would be simply "for all messages", with the action to be something along the lines of Send a notification (inbound - reject, with cause: user unable to recieve mail, outbound - reject/bound with an explanation why thy can't send mail.
Of course test with an action like add a header, so you don't drop important mail.
You may also want to create a Content Incident folder in case there is a need to monitor what the restricted people are sending.
Suggestions