If you have users of varying levels of access. Your best option (IMHO) would be an external proxy.
ISA / Webwasher / Websense / Bluecoat just to name a few. Personally I have used Webwasher and Websense because there is no configuration on the clients at all. The Cisco branded firewalls will direct any web request to the proxy for authentication with those two brands.
_________________________
Today is the tomorrow you worried about yesterday.
