Sounds like you need two policies:
1. One policy to allow access to Office.
2. Second policy to restrict Web traffic.
If the policy allowing Office is above the other policy then the only traffic that is going to match the Office policy is traffic destined to Office apps.
When a user tries to access a blocked web page it will completely bypass the office policy and go to the web filter policy.
Now, we can't really use application control to block access in this way because policies are matched on the network traffic and then we filter the application traffic. So in the scenario above if you are allowing Office using application control your policy must also be allowing HTTP traffic which means your also going to have to simultaneously block using web filters.
I would suggest leveraging the ISDB whenever you need to allow access to specific resources and services. In this case use ISDB (which is a network-level classification) to allow access to Office in a single policy.
Then use the web filter policy below it to filter out how your users web browsing should work.
Hope that helps.