Best approach for Authentication and Surfing Quotas?

Question

I am struggling to come up with an effective approach for limiting and protecting my kid on my home XG install and looking for ideas/advice. 
 Scenario: 
 Would like to apply Surfing Quotas and Web filtering rules to kid devices only. All others will be unrestricted. His devices are all "known" and setup with DHCP reservations and client-less mappings. 
 Ideally I would apply Quota and Web Filtering rules by device, but my understanding is that Quotas can only be applied to users. Therefore, it seems the captive portal would be the only option given he has a Chromebook and other devices that do not support the agent. What would be the best way to setup the captive portal to only apply to his devices and leave all other "unknown" users/devices without restrictions? 
 Thanks in advance.

Michael Dunn · Accepted Answer

With firewall rules, you should be able to specify specific source IPs (source network = host). This will allow you to have a firewall rule only for your kids' device and have captive portal authentication on it, then have a second firewall rule for the rest of your network. 
 
 Another option to look at is having captive portal forever logins. 
 Go to Authentication, Services, and scroll to bottom. Preserve Captive Portal - No Use Keepalive - Disable Timeout - Unlimited 
 My recollection is that you should be able to log in once and then keep it for weeks - basically it stays until the box is restarted. It is a poor man's clientless user.

john_kenny · Answer

Hi Paul, 
 Sorry to butt in again but i know you have User ID Sync in place now right? So essentially you can skip the Binding hosts to ips, you can create User based rules for your kids logins where the surfing restrictions you setup on those users, that way whatever endpoint your kids login too there restrictions apply even if you overlook an IP. then just clone that rule below and set a drop / reject rule below this one as a catch rule. As long as your kids only know there users passwords you should not have an issue. 
 Just another way you can go about this. You could do it the other way round and create your main web protection policies with restrictions then rather than creating user based firewall rules for your kids create them for everyone else, that way only those users can access unrestricted content. 
 Also dont overlook setting Central Web policies for these users too as further protection.