Next Gen Firewalls typically have three interesting features that changes this game. The first is Single-Sign-On tech that allows the ntwkr to use User ID (either on Active Directory, LDAP, or pulling it off 802.1x\RADIUS, or SYSLOG). That gives them an extra special group that they can then give extra perms to or bypass capabilities (maybe even with a coaching TOS screenie). There are lawyers, executives, and HRIS people that may need bypass to do investigations for the company or maybe the company just wants to treat people like adults, but in the case there is a HR issue or violation they need the logging. The second and third are the ability to hand application controls, URL Filtering, and GEO-IP reputation in the same security policy as the user Identity. This single-policy execution makes these firewalls a no-brainer to push whatever policies you need.
Now, I am of a mindset that technology should fix business problems and content filtering is a business problem. Depending on the business you are in and job description, the responsibilities change. I think the discussion is fairly moot due to lack of information on industry.
In the tech world leave it open but log everything
In the financial industry, GEO-IP, In-line antivirus, and application control (with SSL inspection) are key, but you have to be fairly open with the content filter (coaching pages).
In education, block everything (I keed, but not really)
etc etc etc