File Type Control policy not enforcing block

I’m still pretty new to Zscaler in general, so it may be something glaringly obvious. I’ve created a FTC policy to block most file types (exe as an example) and have it scoped to a group which my test user belongs to and is for all protocols and all categories. I’ve been testing by downloading notepad++ exe from their site. The download is still being allowed what exactly am I missing? I’ve also tested with multiple browsers, Chrome being my main one with QUIC disabled. I’m only using ZIA at the moment and am off a trusted network. URL filtering is working as intended. What other information is needed to troubleshoot.

Thanks

Is ssl inspection enabled?

Under SSL Inspection it is set to Enabled for Windows. I’m only using the ZAPP client.

You can check the certificate issuer name to be sure about SSL inspection on the site. Enabling SSL inspection for Windows doesn’t guarantee inspection as SSL inspection might be disabled for location or for URL category/cloud app…

I can see block happening for notepad++ exe download.

Thanks, getting closer. Part of the issue was I needed to “install the certificate” in the ZAPP app profile, so now I see the correct certificate. I did verify the URL category is enabled for SSL inspection.

This is for an untrusted network (off corporate network) do I need this enabled?
“Enable SSL Inspection for Remote Users with Kerberos”