On Demand rules are processed from top to bottom; once a match occurs, all further rules are ignored.
This means that because the EvaluateConnection section always counts as a match, with the domains/hostnames contained within being bypassed or not, any further Connect or Disconnect actions that are added lower in the list of On Demand rules will always be ignored.
To exclude entire networks from using web protection, these rules must be added above the EvaluateConnection rule that is added by default to the payload.