Using a 2830n to control internet access for two groups of users: restricted, and un-restricted.

The scenario is very similar to the one outlined in Example 2 of FAQ 107 - How do I set up a firewall filter? http://www.draytek.co.uk/support/kb_vigor_filtering.html
(in my example there is no mail server).

The problem I have with the solution from Example 2, is I don't see how the restricted group (those not in "Marketing") are blocked from accessing the web. To me it seems there's a setting or a rule missing.

What am I missing?

You need a"Block all unless further match" Rule at the top (or in front) of the 1st rule.
You would then create all your allow rules underneath that.

Thank you Sircon

That was my interpretation as well - there was a 'block all' rule missing.
I think the five rules would be clear and instantly understandable by all.

However (having slept on it), Example 2 is a little more subtle. By turning the last rule into an If Not effectively Rule 4 says 'Block everything, except this one condition'. Hence the 'block all' rule and POP3 requirement, are merged - five rules becomes four.