Three words: Target Disk Mode
Sorry. I missed that first "not" in your post. As for apps with their own certs, you would let those stay encrypted, but limit where they can go. These kinds of apps (ones that use client certs if I'm reading you right) usually perform specific business functions and are not for general surfing. In fact, if it was me, I'd bypass the proxy entirely for these apps to keeps the number of moving parts to a minimum.
You'd be amazed how lazy corporate entities can be. Even "security companies"...
Actually that's not what these devices "are for". They're tools for enforcing company policy. That's it. They are not evil in and of themselves. Do clueless organizations try to use them for "nannying" their employees to death? Every day. And they're so busy making sure Joan in Accounting doesn't spend 15 extra minutes on Facebook that they miss all the PII and company IP going out one of the other many other open transports out of the company network. Any company that is serious about security either doesn't allow this information on the untrusted network (where the users live) in the first place or they lock down internet access to the point that most employees don't even know the company has a connection to the internet. Everyone else is a breach in progress.
And no, you don't need a certificate from a trusted CA to do SSL MITM on on a Bluecoat (but it would come in handy for a government entity spying on its citizens). All you need is a trusted wildcard cert. The Active Directory CA cert would work just as well in a corporate environment.
Those SA-2s didn't guide themselves...
UTM? That's soooo 2002! Though at the low end, that is probably the best solution today. Next Generation firewalls work at Layer 7 and inspect the packet once (instead of once for each way you want to look at it: stateful inspection, authentication, antivirus, IPS, etc.). I know of several UTM manufacturers at your price point whereas a Next Generation firewall starts at about $5000.00.
This is the future of firewalls. It's expensive now because it's new. But soon, you'll be able to do this on your SOHO (or SMB) firewalls: http://www.paloaltonetworks.com/