Hi,
Web Application and its respective operations are to be seen as part of a single entity. Just using a rule to block "Upload Attachment" will not have effect globally. This will only affect the pre-defined web applications which support the "operation" of "Upload Attachment". This is the reason why the "HighTail" is not having any effect on file upload. For this to work, we may have to depend on the good old way to creating policy from scratch. Steps below
** SSL Interception will be required for this
1) Find the domain which is used when we click upload button on the website. If this is different from the domain used for download/normal access, we can put a block there itself
and/or
2) Method used for upload, ie POST combined with a request content-length header of size above 100Kb. This should be "AND" with above domain used for upload and Deny
This could take some trial-error but worth it :)