Create a group that includes the host/networks you wish to subject to Application Control.
Ensure that is listed as the Source for all of the Application Control rules you wish to create.
This will ensure that only the hosts you explicitly list will be subject to Application Control (and thus be in Medium Path)
All other sources will not be subject to Application Control and should remain in the SecureXL path, if eligible.
Note this assumes that the relevant hosts/networks are permitted to access the Internet via the Firewall rulebase, which must accept the traffic before Application Control even sees it.