By way of example: On unencrypted HTTP connection (and FTP as well in nontransparent mode), you can block file downloads by extension. Like, say, blocking Windows executables from websites you've never heard of, while allowing executable downloads from (supposedly) trustworthy sites. (Note: I tested the above configuration in IPFire, and it works as intended. But yeah, it's not completely intuitive, and the interface is a tad quirky. So YMMV.) ... One could also do this on HTTPS (in nontransparent mode), with a distro like PfSense that actually supports SSL MITM proxying. Not sure I'd want to do that, though; since it provides a single point at which an attacker could monitor all of your traffic, even encrypted stuff. Still not sure if the benefits outweigh the risks there. ... Also, it's probably good to force FTP through the proxy as well when possible. On IPFire that requires nontransparent mode. A little more annoying, but probably worth it - I've seen ITW attacks that downloaded stuff over FTP.