Among the key aspects of security that many none security techies (control-freaks and politicians) miss is the fact that Security is supposed to be an enabler. It isn't supposed to get in the way of business.
Aside from legal and compliance matters, security should never get in the way of day-to-day operations.
The business of a University of LEARNING. Internet is a vital and essential part of learning - draconian restrictions will never help security.
The "IT Guy" obviously hasn't segmented his network; nor has he done a threat assessment, risk assessment or analyzed the business requirements of Internet in a University!
When your "security" policy/procedures force users to work around, bypass, hack; then that security policy has FAILED.
At my old university, (1998), we got our useless IT Administrator sacked when the students and staff got together and made the case to the University Administrators (it was a fun meeting
FIGHT DA POWA!