The Access Control List (ACL) allows you to combine the previous object definitions into distinct rulesets for each source (client group) or in a default ACL.
The default section defines fallbacks for all ACL rulesets. Thus, if you define a rewrite rule here, it will be used in ACLs where there are no rewrite rules defined (i.e. the other ACLs inherit the definitions in the default ACL, optionally overruled by their own definitions). The default rule set is used for all clients that match no sources (client group) and for client groups (sources) with no ACLs declared.
The Deny ip addresses in URLs can be used to enforce the use of domainnames over IP addresses in the host part of URLs.
The Default access allows you to choose the default behaviour of the ACL. Only the selected list (none) should be used to terminate pass rules where only the listed destination groups should pass. All Internet (all | any) is the default and used to allow full access to Internet, providing that the destination is not found in the blacklist groups.
Allow access to must be used to define whitelist groups to terminate pass rules when the destination is found in a list.
Deny access to must be used to define blacklist groups that should not pass (i.e. be redirected to the actual redirect URL). This means there must also be a redirect definition for either the destination group, the actual ACL, or the default ACL.
The DNS Whitelist allows you to use a set of Internet DNS blacklist engines to allow destinations for the actual ACL.
The DNS Blacklist allows you to use a set of Internet DNS blacklist engines to block destinations for the actual ACL.
The Use rewrite rules allows you to declare the substitution rulsets that apply to the actual ACL.
The Redirect URL declares the alternative URL to be used for blocked destination groups for the actual ACL.
The else part of the ACL can be used only if you defined a time constraint for the ACL.