I think that if WebSense is installed and configured properly it is quite difficult if not impossible to get around. With the aforementioned possible exception of end-users configuring their browser to use an external proxy server.

Probably the most common configuration errors issues or oversights with WebSense that I've seen include scenarios where the WebSense server is configured as a proxy setting on the enduser's browser config. It is trivial to remove or change the proxy setting. This can be somewhat limited by implementing ACL's on the firewall that only permit outbound HTTP that has a source address of the Proxy.

Another "hole" I've seen involves a WebSense implementation that was not integrated with a Domain structure - this means that the filtering rules were based upon IP addresses. Someone doped out addresses that were not as tightly filtered and there were endusers manually changing their IP addresses. This was in my opinion a little more impessive on the part of the user community.

If I am asked to design a Websense deployment, I will always suggest either a CheckPoint or PIX firewall with a direct pointer to the WebSense box as the URL filter. Basically with this configuration, it is impossible for a user to do an "end-around" - which is how I've seen the biggest holes in WebSense deployments.

Though it should be noted that at least with the PIX, there is an option to allow all outbound internet traffic if the WebSense server is unavailable. This prevents an interuption to web browsing in the event that the WebSense server or service crashes.

ACL's on the firewall can do some good with reducing the ability of end-users to proxy through the filter.

Since WebSense is an application running on hardware and an OS, it is possible for the box to be targeted - but I can't think that there are many users who would attempt a DoS attack on an internal host simply to get around a URL filter.

Other issues that may present a problem with WebSense might be the URL classifications. It is possible if not probable that there are websites that your users may need access to that have been classified into categories that you are restricting. Likewise, there will be sites that have not been classified in categories yet. You can always tweak these settings yourself and/or suggest a URL for addition to the WebSense filtering database.

I am not aware of any shortcomings, gaping holes, or issues with the WebSense software itself.

Don't know if this is what you're looking for. Hope it helped.