First of all, enable traffic log in both rules to see what happens -- or not happens
In both rules, delete local ports 80/443 under Service. Your local port is unknown, the browser determines it randomly (it's a number above 1024).
As Brian says, in the Allow rule only put *.hotmail.com for the host and delete the other stuff (but see below).
In the Block rule delete the remote hosts ("Domain name: *"). Under "Service" you are already blocking the outgoing stuff for ports 80 and 443, that is sufficient.
Put both rules in one Firewall policy, the allow rule above the block rule.
However, even after these changes it probably won't work That's because a call of hotmail.com triggers calls of some other domains. And finally you will be redirected to live.com.
In my tests, you have to put (at least!) these remote domains in the allow rule:
*.hotmail.com
*.gfx.ms
*.verisign.com
*.live.com
To retrieve these domains (and for other things), the traffic log is very helpful (Client GUI > View Logs > Network Threat Protection > Traffic log).
###EDIT
To get better results, just put a domain name (hotmail.com instead of *.hotmail.com etc.) in the domain list.
HTH!