Sorry, apparently I haven't been clear.
I don't wish to block EVERYTHING. My question has to do with when authentication is required.
As I understand it, this is the workflow that is required in order to use different filtering profiles, or to utilize the "override" command:
1) As soon as a device logs on, it must authenticate before it can even access the internet.
2) They are automatically assigned a profile based on their identity.
3) When a blocked page is encountered, if "Allow blocked override" is checked and users are in a group that is allowed to override, the page is displayed and the override remains in place for the amount of time specified in the settings.
STEP 1 is the problem here. I do not want ALL of my users to have to authenticate just so that a FEW can be assigned an alternate profile. Here's what I WANT to happen:
1) As soon as device logs on, it has immediate access to the internet and uses the default filtering profile.
2) When a blocked page is encountered, the user can authenticate, which will assign them the correct profile based on identity.
3) If a page is still blocked with the newly-assigned profile, the override function can be used, as above.
Right now I CAN accomplish this, by setting each category I want to block to "authenticate" instead of "block." The problem is that if, for example, I want to block 5 categories, then I have to manually change each one to "Authenticate" AND change the settings for each one. Not the end of the word, but just not ideal.
I guess this might be splitting hairs. I guess I was spoiled by the dedicated filtering appliance I'm used to, as this was easy to configure.