1. this kind of gateway is not intended to be perfect, just to save lots of organisation time and resources by preventing users from f-up their work station and infecting the internal network by visiting malware sites, preventing them from wasting organisation time and leaking organisation data by spending their time on facebook and friends, preventing them from saturating access points by watching live hd video or other non-work-related heavy material from internal networks
2. it's not an absolute barrier to technophiles but they don't present the same risks and won't accidentally endanger their work tool by being absolutely clueless (I know how to bypass most of the checks thank you very much. That's not the point)
3. you need a way to let people with legitimate need and reasonable ability access dangerous web resources to avoid them wasting their time finding workarounds (so the filtering needs a way to identify users to elevate them)
4. there are many other ways to compromise a network and there is no economic justification to waste limited resources ironclading one entry point instead of trying to get them all at reasonable danger levels
5. I've checked with the correct ietf workgroup what I wrote. I guess that takes care of discussing with 'someone who actually knows what he's doing'
6. The way things fail today is 100% due to free software people being absolutely clueless about non-personal-network needs (either they work from home or they negotiated their own free-for-all internet access bubble at work and think it should be generalised to the clueless lamb that think it's less hassle to change their personal PC every few years rather than try to understand why it periodically crawls to a halt and starts showing porn web sites, and for whom facebook data is private).
7. The only setup that sort of works apart from DPI is to force everyone to use a windows system + internet explorer and use the AD to provide the network gateway auth credentials. Because Microsoft at least invested time learning the use-cases instead of treating this class of customers as idiots