what you can do is to have a ACL that just permit ip any any, and then have the "log" statment in the end. Then have these logs sent to a syslog server. But please bear in mind the extra CPU load this can generate, depending upon traffic rates, bandwidth etc. Also this will generate extra load on your syslog server.
But it can be used.
Alternatively you can place a cisco switch in series with you C3600 ethernetinetface, ans configure a SPAN session of this port, and have that collected by a Sniffer, like SnifferPro or etherreal etc. Dedicated appliances that does the same (plus more) can also be considered, fx Allot, or packetshaper/packeteer Dedicated network-taps are also an option here, as an inline device.
Or you can put in a webcache proxy-only server, and have all clients use this, and then deny everything else, but traffic from the proxy towards the internet. The you can detailed log of your internet usage. both Client IP's and visited sites.