From what I'm gathering, it's probably best to mark and police based on an access list similar to From Any to <web server> eq 80, or something to that effect. Maybe something like From <Firewal NAT IP> to Any eq any for internal users and police based on that.
I don't think you can police based on individual flows that are defined by an aggregate ACL.
So basically you can prevent public site traffic and Internal traffic from affecting each other, but not from affecting itself. An internal high-load user can slow down other users, but can be stopped from affecting web site performance.
Scott M, do you think the Microflow policer you referred to can limit traffic based on individual flows within a defined range (acl)?
-=Vandy=-