As an alternative to a "coaching" option, I would like to see an option to give certain users the ability to override a blocked website, but with additional requirements.
In particular, since the WSS doesn't authenticate the user explicitly, I would like to suggest something like what you'd find with a multi-factor authentication prompt.
This is different from coaching in that I could require strong authentication to affirm a user gets to a website (above and beyond clicking a link to continue [coaching]), and I could separate certain types of websites (such as suspicious, peer-to-peer, software downloads, etc. - things which may pose a different type of risk but have a legitimate use case) to require this additional step.
Basically, this would be the process:
- The website is blocked
- The user, as long as they have a username that has been sync'd to the cloud (e.g., via Bluecoat auth connector) has a known email address.
- The user has an option to "confirm override"
- Upon clicking, the user is sent an email with a link.
- The user clicks that link, which enables the override.
- This provides:
- Intent. The user saw the warning yet continued.
- Non-repudiation: the user clicked the link in their own email
- Ultimately, a higher degree of confirmation that this was the intention