Comment Non-issue - simply decide if you *want* to filter. (Score 1) 308
This is a non-issue, mostly.
If you want to filter traffic, and maintain any level of control, first block all internet traffic from computers. Then set up filtering proxys on the application level, for the protocols you want to grant access to. Yes, that means that when a 10 year old hacks your squid-guard machine, she'll be able to steal teachers credit card numbers. But then 8 year olds already had them, because they'd installed hardware keyloggers on a few select pcs...
The fact that it's possible to block/manipulate plaintext protocols is just a bug -- not a feature. Just look at all the sites that still use plain http for login.
You'd still need to monitor for unauthorized wireless lans, student cellphones etc. Most schools I know of don't allow students to use cellphones in class, I see no reason why SSL-traffic shouldn't be limited/filtered in order to provide fewer distractions during class.
Have the firewalls open up all traffic during breaks/lunch hour and/or the application proxies enable xmmp during those times -- or have a simple front end for each vlan/subnet (ie: classrom) where the teacher can select between no-filtering/blacklists+content filter/whitelists.
For good arguments about *why* a school might want to filter/restrict traffic see: http://yro.slashdot.org/comments.pl?sid=1693516&cid=32649110