I want to block the download of executable files by everyone but a select few, without blocking microsoft / windows update.
Here is what I think should be happening am guessing I need to set up a policy that 1 allows unfettered access to "Microsoft Update" and "Windows Update". Let me do the textual equivalent of thinking out loud.
I create a UTM Custom Objects File Extension list for executables.
I create a Content Filtering profile that identifies the list as the allowed list
I create a different Content Filtering profile that identifies the list as the list to block
I create a UTM policy that identifies this Content Filtering Profile allowing access to Windows updates
I create a Security policy that ties the UTM policy to going to the Microsoft Updates sites
A create a Security policy that ties the blocking content and position it after the one allowing the Windows update access.
Is that about right? I may have some questions about the mechanics when I get into it.