It is possible to configure this.
In pre-authentication mode, end-users are able to access only the Splash Portal and the IPs or domains that have been configured in access devices as Walled Garden.
Unlogged end-users who click on an external link of a content-block, will get an error message, even if IPs or domain are actually reachable by the device. At the moment it is possible to fix this, by applying the workaround described in Accessing content block external links even in pre-authentication mode.