With a base configuration, the base security policy is all TCP and UDP is allowed out and only return (established) connections are allowed back in. Then you can start opening holes for mail servers, web servers, etc. You can set access lists to block outbound traffic to certain IP addresses/subnets or major nets. If you are looking to perform content filtering, the PIX works seamlessly with WebSense from www.websense.com