Hello There

Firewall rules allow for specifying an application so you could block the communication for all applications but the IM.
In the static group sync task you can specify how to handle conflicts and computer / group extinctions:

Do you use ESET Inspect so that I could prepare an example of a rule to block those applications?
As for not yet run tasks, you can delete them in the Tasks pane:

Re. backup, there are currently no plans to make it possible to run backup from the web console.
Re. task cancellation, there are plans for further improvements, including the cancellation of already running scheduled tasks.

The easiest way is to go to the same location - click on the system and go to Configuration -> Applied policies. If the policy Status is 'Actual' this means that the endpoint reported back that this policy was successfully applied. You will notice that if you change a policy this status will become 'Not Actual' until the system communicates with the server. 
Also, if you go to policy details for a policy in your catalog you will see that it has two sections - Assigned to, and Applied on. The former refers to where you assigned the policy, and the latter which systems actually report back that the policy is applied locally.
I hope this helps.

Don't use Web Control but the URL management to block access to all sites with logging severity set to None:

Then you can add the desired urls to the Allowed url list.
Note that the content loaded from other than allowed websites will be blocked too.
You can enable password protection and override mode via a policy:

 
 

10. How can I see on a target computer which policy is applied? When I often switch policies in a management console, how long does it take to propagate to clients? How can I verify that a policy is actually applied?
You can check this by going into a system's details and then -> Configuration -> Applied Policies. Alternatively if you go to the policy catalog you can select a policy and go to its details. There you can see where it is assigned and which systems it is applied on.
11. How to use Web Control to block all internet access except a few specific websites?
If you are referring to web pages, you can create a Web Control rule to block all let's say .com, .org, etc sites by using wildcards (https://help.eset.com/ees/7/en-US/idh_dialog_epfw_add_url_addr_mask.html) and then you can create exceptions. Not sure if this is the best approach, hopefully someone from ESET can provide a better idea. If you are referring to network access instead of web pages, you can use the firewall component and create the rule you desire.
12. Since some users are local admins, how to prevent local administrators on target devices from changing ESET settings? We need that only domain admin or ESET management console users can change setting. 
There are two places where you should set up a password:
In the Endpoint Security product (different for endpoints and servers - set it up in both policies) under User Interface -> Access Setup. In the Agent policy (this will protect the ESET product from uninstallation) - Under Settings -> Advanced Settings -> Setup -> Password protected setup.

10 - An eset staff could have a better answer than me
11 - Better to block from network/firewall level , rather than let ESET work hard on CPU to keep blocking everything , anyway it's easier to be done from a NGFW
12 - You can password protect the settings, and prevent local admins from knowing that password , or through a policy rule it would prevent changing through GUI even if you are admin if I am not mistaken.

If you mean a scheduled on-demand scan, it's not possible to stop running scans from the management console yet.
ESET does not offer a patch management solution but this may change in the future.
Please refer to https://help.eset.com/protect_install/90/en-US/db_backup.html
Computers can be moved between static groups only by an administrator or when syncing with AD:
https://help.eset.com/protect_admin/90/en-US/fs_using_ad_sync.html
ESET does not provide Application control. However, you can create HIPS rules to block applications at a specific path or ESET Inpect rules to detect and block files based on various information from version info, such as:
SignerName
CompanyName
FileDescription
ProductName
FileVersion
and many more.
You can create time slots in a policy:


and then use them in Web Control rules:

 
You can edit update settings in the Update and Scheduler section of a policy:

We strongly recommend to update from ESET's servers via an http proxy and keep default settings. This will ensure that protection against the latest malware will be delivered every few minutes. You can also update from a local mirror, however, this will limit updates to 4-5 per day:
https://help.eset.com/protect_install/90/en-US/mirror_tool_windows.html
 
You can get a list of installed 3rd party software into reports by enabling it in a management agent policy, however, as already mentioned we don't currently provide a patch management solution.