Application Control has two tabs available to block applications: the Applications tab and the Rules tab. The Applications tab entries require around 10 packets to recognize the signature of the application. Once this signature is recognized, the appropriate action is taken, such as blocking the traffic. The Rules tab's custom entries, however, take around 15 packets to recognize the application signature. At this point, if the application is blocked by an entry in the Applications tab, the Rules tab will not receive the required 15 packets to recognize the app and take the appropriate action.
Creating pass rules in the Rules tab is intended only for passing traffic that would otherwise be blocked by a subsequent custom rule in the Rules tab. Keep in mind, those rules are read from the top down until a match is made, then the rules are no longer read.
As an example to illustrate how this would be set up, suppose you have a rule blocking YouTube to the 192.168.1.1/24 subnet.
Now you have one user at 192.168.1.20 that you would like to pass Youtube for. Create a pass rule and place it above the Youtube block rule.
The final result in the Rules tab would look something like this: