Sorry to come in late on this one, but you have highlighted an area of overlap between Access Control and Threat Prevention that can lead to confusion when searching through Threat Prevention logs looking for a drop that was actually caused by URLF. Access Control (including URLF) is always enforced first (with some exceptions for IP reputation drops that can happen very early for efficiency reasons) followed by Threat Prevention. My impression is that the URL Filtering categories Spyware/Malicious Sites & Botnets are primarily for sites that were once a legit category (like Business/Economy) but have been hacked/infected and suddenly moved into this category; sites that are perennially in these categories tend to eventually get shut down by ISPs/providers unless they are in a hostile country. These URLF categories can still provide some protection even if Threat Prevention is not enabled at all.
The reputation data for Threat Prevention is sourced from a number of open and closed sources, and it doesn't surprise me that occasionally it won't be in agreement with URL filtering. Threat Prevention's database is much more dynamic and ever-changing than the URL filtering database.
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com