I've not got the best memory and I'm currently out the house. But from memory, I tried multiple configurations to try and get it to work the one I was using towards the end was:
Proxy on, not transparent, Port 8080, Default policy set to filter (though I got the same problems with always deny as well I think).
The domain filtering was setup as:
Both check boxes unticked (but i did experiment trying the block all but domains listed below option)
Then added to the domains list a couple of sites with always deny, a couple with always allow and a couple with filter.
Which content filter set to strict.
I haven't used the objects settings to define a group a machines (I did play with it breifly to see if that would make a difference though, but in the end deleted the objects and stuck with the default policy)
This is from memory but i think its about right. I'm more than happy to try some other configurations if you have some you want me to try out.
Thanks