Yes it is a bit of a pain, but I don't know if what you put in the exclusions doesn't include the 'class' that would be the trigger I don't know if it would work in the way you expect as you have used wild cards in the URL blocking.
I think it is airing on the side of protection first, there is also another area you could try to put the windowsupdate.com (I'm not sure if that requires an IP rather than a URL or if it relates only to streaming media), in the Basic Tab of the web shield customize, ignored addresses and see if it works there, but I would look at parental control apps.
A parental control application would certainly be better and easier on the control side of things.
Welcome to the forums.