I have the feleing that we are confusing between objects and users.
Object cannot change the fitler profile so they cannot be used to limit some domains.
However you can use objects to restrain access to some groups or to limit it to some hourrrrrs or to grant non'limited access.
Choose a default policy of "Authorize and filter"
So firstly you have to create a filter profile for LimitedUser in this profile go to the "Domain filter" tab and add the banned domains.
Then go to "Group policies" and add a policy for the group of LimitedUser (if limited user does not have any group, create and group and add him to it), select as fitler profile the one that you have created in the previous step, a policy of 'allow' and select the days of the week and hours in which he can access.
As for the IT user if you havent touched the default filter profile it allows all so not need to touch anything. If you have changed the default profile you must create another for IT without any restriction and assign to it using a group policy, like we have done before.
Then you must save the changes.
With this configuration:
- IT user does not have any limitation
- Limited user cannot access to the websites you have listed in his filter profile and only can access in the timetable defined in his group policy
As you see I dont see the need to use objects, I am missing something?