AAA is one way to go, but it will only allow you to track source and destination ip addresses. You can also use AAA to restrict http on a source/destination ip basis, but the PIX does not "see" URL's in this fashion.
So I would recommend using WebSense. This product provides an effective front-end for exactly this kind of restriction, and it actually does "see" URL's. It is the standard implementation for this type of security on the PIX - you reference it right from the PIX config. There is a little more info here:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...