said by hyde1:
I read that we cannot block https with content filtering, but that's useless because any user can visit "https":// youtube and gain access easily.
That's exactly my point, content filtering on unencrypted traffic only is pretty useless. The typical most commonly used workaround is DNS blocking.
HTTPs is nowadays typically 'inspected' by using the 'man in the middle' approach, where you insert a corporate SSL proxy on edge of your network and terminate all SSL connection requests on that proxy, issuing back a fake certificate (for which you install a trusted corporate CA into user's browsers) and then the SSL proxy does the SSL connection to the end server. The pipe is broken in the middle however for inspection.
There are very expensive enterprise solutions that provide appliances and/or SW for this.
Alternative not widely used approach is real-time decryption but that really works for weak ciphers and rich clients.
Your best bet is OpenDNS as already stated and common education of your users or setting corporate policies (i.e. these sites are banned and if we catch you going there we'll slap your hands kind of a deal).
Back to my earlier sentiments, CF/AS is useless, IDP/AV/AppPatrol is seriously under-powered on USG series.