So it can do what I want tho?  I don't just want to block users from the internet, I want to control what sites they visit...

That's my main objective...  Ident by AD would come later

You can block them by using Regex along with HTTP inspection.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

That's EXACTLY what page I read over and EXACTLY what I tried and got to work...  But the problem I had with that was that artical was made to block CERTIN sites.

I want to block ALL sites and ALLOW certin sites.  I kinda want to do the reverse.

Approach it like this:

Define which websites (that you want to allow access to) to be inspected with a Inspection Policy.

Instead of "match" you can use "match not", so any website you have NOT specified with regex will be blocked.

Thanks for the response Tim!  Yea that's the first thing I tried doing too hehe.  I never could get it to work though.  At what step in that article do I need to set the "Do not match" flag instead of the "Match" one?  (BTW I'm trying to learn more about the ASDM so I'm trying to do all the config on it as opposed to the CLI)  So witch step or (STEPS?) do I need to change that on from the article?  There are quite a few places that get you to set it to "Match" (Example Step 5a "HTTP Traffic" - sub step c).

I'm trying to just work with blocking or allowing domin names in general so I'm not doing steps like steps 3c (see note below).  I'm doing steps like step 3b.  That's where I would choose "Match Type" = "No Match" correct?

Note:

Steps I skip our are as follows...

1.b

1.c

1.d

1.e

1.f

1.g

2.b

3.c

4.e

5.b.*

Actually this is working perfectly!!!  Thanks Tim!

Two more small things though...

1) In step 1.a my "domainlist1" contains the following...

\.google\.com|google\.com

So the ONLY sites I can go to are http://google.com, http://www.google.com, http://maps.google.com, etc..

BUT...  I can also get to http://mygoogle.com   Is there anyway for me to make it to when that will not happen but still allow access to http://google.com ?

2) Is there a way to have this work per user on my domain?

  For example I want MYDOMAIN\User.One to be able to go to ANY sites and MYDOMAIN\User.Two and MYDOMAIN\User.Three to be restricted to go to the google.com list only (as listed above).

Yo,

Try using a single regex to filter this by using [my]google.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

So maybe something like [a-zA-Z0-9]google.com ?

Which would end up with 3 rules per domain

EDIT:

Yea that worked fine... I had to make 2 regex lists...  Below is everything I did to make it work.  When using the method below you can only go to sites that match the following criteria... http://google.com* or http://*.google.com*

1) Configuration->Global Objects->Regular Expressions->Regular Expressions

     ADD - allowed_http_domains = \.google\.com|google\.com

2) Configuration->Global Objects->Regular Expressions->Regular Expressions

     ADD - denied_http_domains = [(0-9A-Za-z)*]google\.com

3) Configuration->Global Objects->Regular Expressions->Regular Expression Classes

     ADD - DomainAllowList = allowed_http_domains

4) Configuration->Global Objects->Regular Expressions->Regular Expression Classes

     ADD - DomainDenyList = denied_http_domains

5) Configuration->Global Objects->Class Maps->HTTP

     ADD - AllowDomainClass

          Match Type = No Match

          Criterion = Request Header Field

          Value->Field->Predefined = host

          Value->Value->Regular Expression Class = DomainAllowList

6) Configuration->Global Objects->Class Maps->HTTP

     ADD - DenyDomainClass

          Match Type = Match

          Criterion = Request Header Field

          Value->Field->Predefined = host

          Value->Value->Regular Expression Class = DomainDenyList

7) Configuration->Global Objects->Inspect Maps->HTTP

     ADD - http_inspection_policy

8) Configuration->Global Objects->Inspect Maps->HTTP->http_inspection_policy->Inspections

     ADD - DenyDomainClass

          Match Criteria->Multiple matches->HTTP Traffic Class = DenyDomainClass

          Actions->Action = Reset

          Actions->Log = Enable

9) Configuration->Global Objects->Inspect Maps->HTTP->http_inspection_policy->Inspections

     ADD - AllowDomainClass

          Match Criteria->Multiple matches->HTTP Traffic Class = AllowDomainClass

          Actions->Action = Reset

          Actions->Log = Enable

10) Configuration->Security Policy->Service Policy Rules

     ADD Service Policy Rule

          Screen 1:

               Interface = inside - inside-policy

          Screen 2:

               Create a new traffic class = httptraffic

               Traffic match criteria = only check Source and Destination IP Address (uses ACL)

          Screen 3:

               Action = Match

               Source = any

               Destination = any

               Service = tcp-udp/http

          Screen 4:

               Protocol Inspection = only check HTTP (then click Configure)

               Select a HTTP inspect map for fine control over inspection = http_inspection_policy

          * CLICK OK then Finished

Thats it!  I hope this helps someone else out. 

Tim, I started a new discussion on setting up my ASA to use my AD to authenticate users.  Any input you have there would be very helpful!

https://supportforums.cisco.com/message/3427040

I'm not 100% positive but that would make sense...  If it would work then whats the point of encryption.