Usually you'd configure
* Group allow FTP
* Everyone allow HTTP
So, if Group doesn't match FTP then it will still do HTTP.
This is exactly what you do on FortiGate as well. You have two policies as you just defined:
1. One Policy allows FTP traffic from "Group" members.
2. Another policy, allows HTTP traffic for everyone
Someone in the "Group" trying to access a web page will not hit the FTP policy and they'll just go to the HTTP policy which is allowing it for all users.
Please do not get confused about Application Control and Services. Application Control allows you to apply NGFW functionality on top of your Firewall Policy. Services are used to select your policy. That is "FTP" is a service (TCP/21), and "HTTP" is a service (TCP/80), etc etc.
Once your HTTP policy is selected you can optionally have Web Filter, App Control, etc to further enforce or monitor the traffic in that policy.
It sounds like you are trying to restrict traffic using App Control and Web Filtering profiles. You need to use Services in the policy to do this.
So your policy for the Group will reference the Group as a source and TCP/21 as the service. (no one else will be allowed to use FTP).
Your policy to allow Proxy.HTTP will reference HTTP (TCP/80) as the service and have an optional Web Filter profile attached to it. If you're not trying to restrict or block or monitor Web categories or URLs you don't need a profile.