Re: wan to block computer getting internet access via FSSO client on AD to fortigate
not sure I understand your needs.
FSSO IS IP based, it is not session based, unless you use Collector for NTLM.
Keep in mind that pure IP based policies (no user groups, in short) has priority before Identity based policies.
Time schedules should work for both types.
Unless your DCs are behind firewall, from network/policy perspective (so no traffic/forward policy govern access from PC to DC), then logon to domain should always work.
FortiGate is implicit deny-any type of firewall. So policies are exemptions allowing access under specific conditions, like time, source/destination address/port, services and user/device identity.
So to achieve identity driven access avoid any pure IP based policies without user group bond.