Following instructions allow to block all web access for a particular user, except few manually whitelisted websites. All actions are performed in the Sophos Central Admin web console.

• Go to Endpoint Protection > Settings > Website Management and add all websites you want to allow. Make sure to add a tag.
  
• While still in Endpoint Protection section go to Policies and add a new Web Control policy
  
• Modify the new policy as follows:
  • Under Users add all users that web block will apply to.
  • Under Settings
    • Web Control – Enabled
    • Additional security options – Let me specify – set all categories to Block
    • Acceptable web usage – Let me specify – set all categories to Block
    • Log web control events – Enabled
    • Control sites tagged in Website Management – click Add New and select the tag you added in the first step for whitelisted websites.
      
  • Under Policy Enforced make sure Policy is enforced is enabled.
• Click Save

That’s it. In my experience policy is applied pretty much immediately after clicking Save. If you make any changes to the whitelist (under Settings > Website Management), open the Web Control policy and save it without making any changes to re-apply the policy to clients.

June 2019
Sophos Endpoint Protection
Sophos Central Admin
Windows 10 Pro