Although the Application Control options are extremely useful, there is a significant restriction in only being able to apply these restrictions to Networks.  In the Network Security,  URL Filtering section you can have the restriction by IP Group or Network, which allows much more control for larger networks and multi level users connecting to the same network.

In the Application Control, it is only by Network, which then makes it impossible to unrestrict certain users that join a specific network.  It is also not possible to allocate a user to a different network when they connect via WiFi as there can only be 1 network associated with a single SSID.

The Application control options are so much more simple and easier to apply than with constant URL updates and would be a much more comprehensive security/control solution.

If there is a way to apply the application policies to Groups, please let me know.