Netscreen policies using domain names - having problems

Archived from groups: comp.security.firewalls (More info?)

I've recently purchased a Netscreen 5GT for use on my home network.
This device is a bit of overkill for my needs, but the lan to lan VPN
capabilities might be useful someday since I'm an occasional
telecommuter. At this time, I'm simply using it as a firewall for my
broadband connection.

I've been trying to create the requisite policies that will allow the
computer in my childrens' room to access very specific web sites that
I define for them. Adding a group and putting several web sites within
it was no problem, however I opted to use the domain names rather than
specific addresses or groups of addresses or subnets. I've read
through the documention thoroughly including the proper setup of DNS
servers. When checking the dns cache, it appears as though this part
is working correctly. BTW, the ScreenOS is 5.0.0r2.1

So, I create the policy that allows the kids' computer access to sites
within the defined group, placing it at the top of the list (trust to
untrust).

Next is a policy that denies the kids' computer access to anything
else.

Third is the policy that allows the remaining computers access to
everything.

I enabled logging on all three policies as a means of troubleshooting
this. The first policy log has the correct entries, and the second
policy log is larger containing many of the same entries as #1.

Since I am familiar with Cisco access lists, my mindset is to assume
an implied deny unless specifically allowed. To that end, I changed
the default-permit-all, or rather I unset this default effectively
creating the condition where traffic is denied unless specifically
allowed.

Has anyone else created a similar config and has success? My interest
is in keeping the 'garbage' off the kids' PC while allowing the others
to surf unrestricted. Have I missed something? Perhaps a ScreenOS
problem?

TIA,

Ken