For a bit more clarification on the difference between Span or Tap and Inline:
When we are Inline, we effectively control the entire connection as it occurs. We have numerous methods of blocking in this case - we can take control of the session, we can redirect the session, we can delay the session, we can drop the packets altogether, etc... In this mode, we can block whatever we like.
On a Span or Tap, we get a copy of the session and send a TCP RST to block it. While this is effective for 90+% of the traffic we want to block, it does have two limitations:
1) File and Active Content Detection - The issue here is a matter of timing. Even though the SWG is a VERY fast engine, by the time we get a copy of the packet stream via the Span port or Tap, the user actually already has a copy of the file. Sending the TCP RST in this case is ineffective because we cannot RST the transmission that has already occurred.
2) Content that is not TCP based - Some Application and Malware phone home signatures do not utilize TCP 100% (they will use a mix of UDP, for example) and thus will not respond to a TCP RST. This is why specifically for some applications you may get a 'Blocking ineffective in Tap mode' message when you configure a policy to block that application.
For the 2nd question you have:
Today SWG does not support acting as a proxy, so you would not be able to do this. This will be coming in a future release.
HOWEVER - I would recommend against setting up in this manner. If you allow users to connect to a proxy from outside of the network, all a malicious user would need is the IP address of your proxy (which is in the browser) to possibly launch a denial of service attack on your proxy. You could mitigate this by forcing some authentication to the proxy, but it would not 100% solve the issue. In addition, hard coding a proxy setting in the browser could cause issues at locations that use transparent proxies or proxies for authentication to WiFi access points (hotels, coffee shops, etc...).