Can you get away with whitelisting just the IP addresses and/or websites that your users need to visit? If so, you can probably use just your ASA. Otherwise you're going to want a good web filtering/proxy solution. Check out IronPort, Webwasher, Blue Coat, SurfControl, or even Squid (open source.)
You can also tie the ASA directly into a filtering product like WebSense, check out the ASA documentation.
When deploying a web filtering product you can either go "inline" or transparent by using WCCP redirection, but I'd suggest against it, since it breaks normal web browser behavior. Better option is to use WPAD (web proxy auto-detect) and have your browsers point-to and/or be explicitly configured to use the proxy.