Thanks for all the messages on this thread.
The overwhelming consensus seems to be that its generally
ok even on a sensitive network - as long as you strip out things
like Java and ActiveX at the proxy, log like hell, keep and eye
on the whole thing and back it all up with a clear security
policy to keep the users at bay and to make it clear what you
are trying to achieve.
Even so, the whole thing leaves me with a slightly uneasy
feeling - the inventiveness of what people are doing with
plain old http seems to know no bounds.