Bob,
With just those 3 policies, I do not see what would cause the amount of traffic. I would turn off one or more of these policies to see what is causing the large amount of data to be sent between the endpoint and server.
I would start with the Forbidden Websites.. may not be written correctly.
You can also look at the Endpoint server logs to see what kind of transmissions are happeing. Turn the loggin level up on the Endpoint Server to see more on the communication. The only thing I can think of if is the Endpoint Agent is constantly renegotiating the connection with the Endpoint Server. That aspect does have a large amount of data in comparison to just and incident...doubt it, but a good place to start.
Also check the Endpoint Agent Events to see if there is a large amount of communication happening with the Endpoint server or even some errors.
Is this happening on just one Endpoint? If so what kinda of actions or transmissions are they doing?
If this answeres your question, please marked as solved
Ronak