Sooooo, in order to block specific parts of a SSL encrypted site, you must be using SSL Deep Insepction. More info on SSL Deep Inspection can be found below (with further useful links inside this article):
http://www.symantec.com/docs/HOWTO54180
Essentially though (in bullet points):
- SWG must in proxy mode
- Enable SSL Deep Inspection
- Download SWG's cert and distribute to clients
- Configure clients to use SWG's LAN/WAN IP address and ports (for https and http respectively) as proxy via GPO/PAC/WPAD/whatever
- Configure SWG Policy for SSL Deep Inspection Inteception
- Configure SWG Policy for filtering (with a lower priority)
As far as blocking pages go, the below articles are quite handy:
http://www.symantec.com/docs/TECH175244
http://www.symantec.com/docs/TECH206412
And to answer your final question, the whole SSL Deep Inspection process works in a man-in-the-middle scenario. Clients create a SSL connection to the SWG, the SWG creates a SSL connection to the external website.