In BES 5.0 SP2, Admin Guide - Exchange enviroment. http://docs.blackberry.com/en/admin/...1-5.0.2-US.pdf
check out page 49.
Then check out the Policy Reference Guide. http://docs.blackberry.com/en/admin/...1-5.0.2-US.pdf
The properties at the individual level override the properties at the group level.
The properties at the group level override the properties at the domain level.
If I understand what you want to do, you can assign domain level properties for all of your users. Then, for your certain users that you decide have additional needs, assign them a group with your force encryption and wifi profile policies.
The Wifi item on policy should just be an option that you configure within a certain policy as well as tab on the specific user. The wifi options on the policy are much more robust. Once it is defined on the policy, you can then assign that policy to a group. Then that group gets assigned to a user and it will make its way to the device. What exactly are you experiencing?