In order to allow further domains add in the Custom CFS categories that are allowed by your Custom policies as per following pictures:
Now add in the custom category that is actually also allowing in the custom policies:
In order to block other domains, please do the same using categories that are actually blocking the access in your custom policies.
Is really important to understand that in this scenario the categories will be update and the firewall will think that a specific policy "27: Information Technology/Computers" is actually having also cnn.com as part of that domain.
So if we set cnn.com as part of category 27 we will have a possible scenario were we are blocking news and media and at the same time we are allowing the Category 27. That will allow the firewall to apply the logic to apply always the policy less restrictive.
In our scenario we are both blocking and allowing the cnn.com due being part of two categories. The firewall due to this logic will allow the domain.