First, a correction: You want the Application > Outgoing Security page, and Client Restriction settings, which are same choice of include or exclude.
You should be able to use IP or domain name, and you can put multiple separated with comma. You can only allow or not allow. If you allow a domain or set of domains, you are not allowing every other domain. If you do not allow certain domain(s), you are allowing every other IP or domain.
The HTML container's IP does not matter in this case, it is the IP address of the player. The IP of the HTML container is the what you are trying to control when you use HotLinkDenial. If you are using that you might want to use htaccess rules if an IFrame is involved.