environment : Nw5.1 sp6 + BM36

Im using the following deny rule :

action : deny
access type : url
source : a NDS group
destination : any

The problem is that when the user type - lets say - http://www.novell.com
the rule works as expected, but when he types the IP address of the site,
say the user is allowed to access the site.

Ive changed the rule to almost every option avaiable ( url , port , app
proxy , etc ) but it didint work .

Any clue ?