Always use and include a whitelist to your app. The whitelist can be easily be activated.
You are able to block based on domains. If you have content on separate domain (or subdomain), then it can be blocked it via the Workbench.
Block all ads, such as exchange links, trackers, etc.
Analytics should be left open and included in the whitelist since the customers want to see this.
Look at domains to determine what to include and exclude in the whitelist and workbench. You can use a dummy Reach app to get the domains and look at zones.
If there are domains from the website you are 'wrapping' which users do not navigate to but is used for resources then the default zone should be set as Exit Zone.
If there are domains from the website you are 'wrapping' which you do not want access or resources from then the default zone should be set as Blocked Zone.