Using CFS, What is the easiest way to block all, then only allow specific sites?
Set the default policy to block all sites, then create a custom per-policy allow list for the default policy which allows certain sites or domains.
Be aware that you may also need to allow domains or addresses which the allowed sites pull content from (such as fbcdn.com for facebook.com, 1e100.net for google.com, etc).
In addition, allowed subdomains of a larger domain do not by themselves allow material from other subdomains in that domain. For instance: allowing access to www.yahoo.com (which is a subdomain of yahoo.com) will not allow a redirect or images to be pulled from login.yahoo.com or images.yahoo.com.