I assume that the un restricted access means to access social media ,P2P etc. If that is true. There are many ways to achieve this. The common and simply way is describing below ( Experienced users can provide more feasible option though) 1. Create a new web filtering profile with a name something like " Excluded users_WF" a. Block " Security Risk Category" 2. Create a new Application control with a name something like " Excluded users_AC" a. Create a new application sensor to block " Botnet" 3. The same way you can create security profiles with less restriction for other UTM features like DLP ,Email etc. 4. Create a the IP address of the particular machine in the address object. 5. If multiple machines you want to add you can create a group and add those IP' s into it. ( ie, Excluded user group) 6 . Create a new firewall policy on top of the current internet policy and configure as below. a. Source interface - LAN b. Source address - Excluded user group c destination int - WAN1 / WAN2 ( or virtual wan link) d- Destination address - any e- service - all f - NAT - enable. UTM - a . Antivirus - default b- web filtering - Excluded users _ WF c- application control - Excluded users_ AC d - SSL deep scan - enable ( if you don;t want to use other UTM features make it disable) 7 Try to surf from the particular machine, and see whether the user is able to access the restricted sites .

Yes one of our manager want everything.I did the work using IP base but already DHCP enabled in ourFGT.Right now am created a user group My doubt is have one Webfilter policy and Application policy..so creating another one..is no issue right?

In menu " global - config - feature" , you have a feature called " multiple security profiles" . Like this, you will able to create more that one security profile.

ok

Is it possible through MAC instead of IP?

PLs find screen shot

fyi

I think no, it' s not possible by mac address (I' m not sure) but the easier way is to create a DHCP reservation.