I'm bumping the tail-end of this thread, but here goes.
we implemet per-user dynamic content filtering using an N2H2 on a squid
box running as a transparent proxy. When we had tnt's, we used
ASCEND-IP-DIRECT to force filtered users through the n2h2. We use cisco
As5800's now and have an outbound policy that checks and redirects based
on the Ip address they are assigned (until I get the final VPDN