I setup a network for a school a long time ago (1997). We filtered nothing, but here's how the network worked.
Each student had a NIS login and a NFS homedir. All web traffic went through a squid proxy. All of the desktop PCs were Linux (RH 4 or 5 at the time, I forget)
Basically we had a reasonably good way to do two things:
* Know which students were on which computers at what time.
* Know exactly what sites they were hitting.
* We loudly and repeatedly reminded the students that they were monitored.
Of course this was not a foolproof solution, but it was good enough to keep the students in line. If someone at that school was smart enough to get around the proxy, they probably earned the right to do so. We had no problems with that school. We even put the "troublemaker/hacker" kids to work keeping the crappy PCs up and running instead of doing stupid shit like ban them from computers. They took pride in the responsibility.