There are some guidelines but nothig in regards to 'best practices':
http://www.symantec.com/docs/TECH171061
It all comes down to how easy it is for you to manage while keeping things secure. There was a recent thread on this as well:
https://www.symantec.com/connect/forums/best-practice-exceptions
Is it difficult to manage multiple locations/groups and policies? If not, then you can get more granular and break them out separately. You could create the exception and apply it everything, even though the exception may only apply to one or two groups. Yes, it does open a hole but realistically this may be less tedious to manage. If you can easily manage multiple groups then break them out individually and create a specific policy for it.