IMHO all direct access to the net should be blocked. Ports 80, 443, 21 should be opened only for the proxy. Rest all ports, except for some specific applications like VPN, should be blocked. Blocking only 80 and 443 will not work since messengers like gtalk and msn use port 5222 and 1863.
I have not used DansGuardian, but we use SafeSquid
free edition as content filtering proxy and application layer firewall. You can use it independently, or use it for content filtering, and forward requests to squid. I can tell you how to solve your problem using SafeSquid.
SafeSquid uses a unique 'profiles' method to identify users and applications. You can create unlimited user and application profiles. These profiles are then used to grant access rights, depending on the user profile and the application he is trying to access.
There are multiple methods of blocking access to a category or nature of website. You can block access to email sites using -
# URL Filter - Allows you to define specific URLs or domains [(gmail.com|mail.yahoo.com|login.live.com)] or a regex that looks for 'mail' in the URL (.*mail.*). This simple regex will match almost all email websites like mail.google.com, mail.yahoo.com, hotmail.com, rediffmail.com, etc. You can either globally deny access to these sites, or create an application profile to allow / deny access depending on a group or user profile.
# URL Blacklist: We use the categorized database of websites from urlblacklist.com to allow / deny access to a category of websites like mail, webmail, porn, adult, etc.
# keyword filter: This is a unique method of predicting the category a website belongs to, and block access to unwanted categories. This method is also effective in blocking access when users try to access a denied website using an external anonymous proxy
IMs and Chats:
Different IMs and Chats use different methods of communication. Therefore, we have to use different methods for blocking access. This will be effective only if users do not have any direct access to the net.
Following are a few examples -
# Yahoo Messenger: Can be blocked by simply blocking the URL shttp.msg.yahoo.com
# MSN Messenger:
Block url: gateway.messenger.hotmail.com
Block File: gateway.dll (mime filter)
Normally uses port 80 or 1863
uses the XMPP protocal on port 5222, 80 and 443
Block Host: (talkx.l.google.com|talk.google.com)
Block Request header pattern: User-Agent: Google Talk
Blocking the User-Agent works best with GTalk.
Depends on what you would like to deny access to.
# The SafeSquid 'MiMe Filter' allows you to block access to files depending on the file extension (exe, zip, com) or mime type (application, audio, video)
# The SafeSquid 'Limits' section allows downloads depending on the size of file being downloaded.
There are many other similar option available. The correct solution can only be framed after analyzing the exact requirements.
We find SafeSquid to be the perfect solution for such requirements because, unlike other solutions, SafeSquid has a simple and easy to manage GUI interface. Admins with very little or no knowledge of Linux can also very easily manage it.