This is as much a social engineering question as a technological one. Are your users apt to violate an acceptable use policy? What are the consequences if they do? In other words, how big does the big brother need to be. Think also about how much time you want to invest in this, and the animosity of your users. Commercial and opensource blacklists can both be a waste of time and money if a user can get to a single open proxy or http tunnel. This is made doubly hard since the major web search engines cache content. The only sure way out is to have a closed system: a large whitelist of known good sites, but not many are willing/able to go this route (commercial systems, mentioned essentially do this.) Otherwise, you will need to aggressively block open proxies. See below. Check out dansguardian too, for even more context based filtering that also uses website rating systems. What can help: Using data from the open directory project www.dmoz.org, and a pretty simple perl script, you can jump start black/whitelists. There are freely available scripts to do this. I've used one that was intended to migrate data from dmoz to Mysql. Search mysql rdf dmoz. Some creative awk/sed/grep/perl depending on your idiom, and in hours you can have a black/white list that numbers in the millions. Will it rival a commericial product? I'm not sure. But it will give you more control. Which is a mixed blessing.
