Well, part of what you're describing can be bought today.
Appliances from Palo Alto Networks do just that : User awareness, L7 identification (even in SSL) so that allowing TCP 80 or 443 doesn't mean allowing everything,
They still lack many things from Checkpoint/Juniper/Cisco (PBR or IPSec aren't fully there yet IMHO) but they're quite impressive.
On some tests I did, it was able to see random encrypted UDP P2P packets as "Bittorrent". Not to mention that many webapps are seen as protocols (gmail, gmail chat, mail.ru, yahoo finance, etc...)
Kinda weird to define security policies by user|group/application instead of IP/port. (you can still do that if it makes you feel more comfortable: use RFC ports or self-defined ports)
Sexy HW architecture with FPGAs and dedicated CPUs for each tasks, nice web interface with reporting: it's a real gap from a typical appliance firewall, but it costs an arm and a leg...