You want to block users from downloading executable files from any browser using Cloud SWG (WSS) portal.
NOTE: If the URL to download the file is over HTTPS, you need "SSL Interception" enabled in order for Web Security Services (WSS) to block downloads.
[Image 1] "New Rule: Threat Protection Group B" dialog
Important note: File based policies are intended to be put in the Threat Protection layer rather than the Content Filtering / Acceptable Use layer.
Specifically advanced verdicts available in the Content Filtering rules ("Allow with Coach" and "Block with Password Override") are designed to be applied to web-pages so that the coaching or password override page can be returned and displayed to the user.