Layered Web filter policy by Groups
Recommend changing to the Bluecoat permissions model. Web filtering should be applied by Groups of Users or Workstations (typically groups of users), in a top-down model that builds on the 'ALLOWS' present in each group the user is a part of.
Web Filter Groups would then be able to have assigned access to different areas of the internet (think sharepoint, dropbox, google docs) based upon that groups need. The user may be a part of multiple groups, so stacking of 'ALLOWS' is critical for internet access.
In a HIPAA controlled environment, I have users that regularly have roles added and removed that need them to have access to a specific resource. I don't want to create a policy for each user based upon their needs. I should be able to have a Dropbox Group, a Sharepoint Group, a Google Docs group, and know that when I add the user into that group, they will have access to those resources regardless of other group memberships.
Bluecoat has done this model since 2004 and it is highly effective in group-centered internet access allows, greatly simplifying web access management. If you are allowed in one group, regardless of a block anywhere else, the Allow permission from the group wins.