We have a McAfee SIG 3200 appliance, and rules are pretty much clear cut - Deny this, allow that! The 'deny' and 'allow' are applied to the different categories we have created for the different levels of access groups. whilst the rules remain unchanged, restricted sites (like yahoo, youtube etc)...