Hi Ian,
Can you get away with whitelisting just the IP addresses and/or websites that your users need to visit? If so, you can probably use just your ASA. Otherwise you're going to want a good web filtering/proxy solution. Check out IronPort, Webwasher, Blue Coat, SurfControl, or even Squid (open source.)
Otherwise can also tie the ASA directly into a filtering product like WebSense, check out the ASA documentation.
When deploying a web filtering product you can either go "inline" or transparent by using WCCP redirection, but I'd suggest against it, since it breaks normal web browser behavior. Better option is to use WPAD (web proxy auto-detect) and have your browsers point-to and/or be explicitly configured to use the proxy.
You can use combination of regex & HTTP inspection with ASA 7.2+ code to achieve this
regex YOUTUBE "youtube\.com"
policy-map type inspect http xyz
parameters
protocol-violation action drop-connection log
match request header host regex YOUTUBE
drop-connection log
policy-map global_policy
class inspection_default
.
.
< SNIP..>
.
.
inspect http xyz
A good example can be found at
http://www.internetworkpro.org/wiki/ASA_and_PIX_using_http_inspection_to_filter_URLs_and_Hosts_in_HTTP
Another example at
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml
Please rate if you find it informative.
HTH
Sachin Garg
