Not sure if this helps but i will add my 5 cents here.
At our project we can not implement proxy because of a critical software that does not behave properly being proxied, so we are blocking by firewall and dns.
I would add a dns resolution at your nethserver instance pointingo youtube.com (and domains related) to a local web server with information on your content filtering policies.
Also, you should be blocking every DNS traffic for anything but your dns server to avoid dns hopping.
If you want to do this as a per-user basis… this will not be a solution of course. But i think you can tweak this to make it work.