[c-nsp] ASA/CSC - workaround for limited filtering options

[Garry]

After doing basic configuration of a 5510 w/CSC20 for a customer 
network, our customer has come up with some wishes about specific 
filtering options that I don't see any way of implementing with the 
CSC's rather limited filtering options. Even with the most current 6.2 
(1599) version of the CSC OS, which finally allows the content filtering 
to be bypassed for certain IPs/Subnets, I do not see any way of 
implementing this without an additional box with - say - a squid proxy 
on it:

- certain sites (all within a specific IP range) aren't supposed to get 
any web access, except for specific web sites required for business purposes
- certain other sites (again, within a specific IP range) receive web 
access, though content scanning will prevent e.g. porn sites from being 
accessed
- for all accesses, virus/malware filtering is to be performed, of course

Having a decent permission system on the ASA/CSC itself to do more 
sophisticated ACLs for web access ... while I understand that it's not 
the main job of a _content_ engine to perform ACL supervision for client 
access, I do see it as an integral part of such a gateway ...

Any thoughts or suggestions?