After creating user roles to allow users to access only one internal url, but when I test it, I can browse any where on the net. Where do I configure the rules so that users can only access a certain websites?
How are you allowing users to connect: NC, SAM, Pulse, or web only? Are they connecting to any site using the web-based access? If yes, that is controlled by the web ACL at Users>Resource Policies>Web>ACL.
I'm not sure Secure Virtual Workspace (SVW) would work here as you can't control what users connect to; only what can run on the client machine.
If a user logs into the SSL box you can only control the resources they access through the box. If you have given them core access (WEB) to a specific URL within your network that does not stop them to from going to anywhere else that is external to the SSL box. If you want to control their access while logged into the SSL you might look at the Secure Virtual Workspace function.