Hope someone can help with access rules that don';t seem to work

Running BM3.8 SP1a. Have ticked "Enable HTTP Proxy Authentication"
and "Single Signon" and clients running CLNTRUST.EXE. Have installed
SurfControl for web filtering and have created rules to block downloads.

All works fine however as my email suggests I work at a school and would
like to refine the rule base so that teachers and students have different
rules applied. I am having problems as I only seem to be able to create
rules to block or allow sites based on source being "any". If I use the
source as an NDS object such as a group, username or context it does not

Any ideas?