We have several machines where there quick user switching. I've noticed that sometimes we'll get a complaint about a user who is supposed to be allowed to login to webmail sites, not being allowed to login to webmail sites. They get a block message. When I look in the logs The message has about 5-10 userids listed as the source. I'm assuming it just takes one of these with the email restriction to block the traffic.
I also seem to have the same problem outbound. One ip by some ISP could service 1,000 destinations. If one is categorized as malicious all traffic to that ip is blocked.
Any pointers ?