Honestly it can be done either way. I used to work for the US Gov and we did. He used proxies on 80/443 and block everything else outgoing from the user pcs. However, there are different ways to construct your security policies, It really is a balance between what you are doing (how secure do you need to be?) and how much people will butch and moan about it.