Hi,
I'm trying to configure a GPO to deny all traffic to a specific subnet and then allow it to a specific group of users.
On the Default Domain Policy GPO i created two outbound rules on the Windows Firewall With Advanced Security section
Block all traffic to 192.168.10.0/24
Allow Administrators to 192.168.10.0/24
On the allow rule, i choosed "Allow the connection if it's secure, then customize and choosed "Allow the connection to use null encapsulation" and "Override block rules", then on the Computers tab i choosed "Authorized computers" and added the "Domain Admins" group.
I forced the gpo update on one of my workstations, and no one can ping any IP on 192.168.10.0/24, not even the users members of "Domain Admins" group :(