Sorry no answer, but you're up against typical f/w behaviour for authenticated policy rules e.g. I had to do this with a serious f/w appliance a while back and it took some effort. Eventually found out how and it was an obscure command line hidden in a dark recess of the small-print, not something you can do in the wizz-bang GUI. I subsequently gave unauthenticated users much more limited access to the net than authenticated users which made my scenario a Reasonable Thing To Do[tm].
how to grant access to the internet to users that have not been unauthenticated against AD.