You can setup transparent proxy on your client machine that will have your company's proxy as a parent and add authentication information when forwarding requests to the parent. You will need to install a proxy server that supports transparent proxying, I'd recommend squid; and you will need a firewall that will redirect your traffic to a proxy server, many windows firewalls can do that. Google for "squid transparent proxy", there are a lot of manuals.
Nice post. What is aggressive or not is hard to say, generally - YOU should decide that. All three are fine, but have different approach, usability issues, price etc.
I work for company that passes VISA/Mastercard security certification (PCI) every year and everything depends on what you do and what risks you might have. There is no company without risk, it might be minimal/insignificant for you, but risks are always present. Maybe it's enough for you to have http proxy and you are not afraid of guys, who are able to use http tunnel or use http-based remote applications etc (like Skype, Teamviewer) and you don't have control over application control, don't have an 802.1x certificate based auth on ethernet level with machine which has dual disk encryption which needs a special usb key for every bootup, despite this usb key is taken from one of 20 10-inch thick steel safes opened by splitted two passwords changed 6 hours ago, known by two guys, delivered by two security specialists with two guards and four remotely controlled cameras and all that is underground, 300m depth. What is applicable/enough for you - again, you decide.
If your employees are security experts and bad guys, able to use several tools and hide from cameras - there is no way to control them by watching their traffic and packets - they still can hide and make tunnel wherever they want, you should consider other things too (I guess Palo Alto Enterprise Perimiter can do it, if you need it so much and you pay for that USD 1 mil).
All your proposals are OK - there is nothing wrong to use any it in enterprise.
I recommend to take a look at SIEM alerting products too (Solarwinds SIEM, Trustwave SIEM, IBM Q1 Labs Qradar). Maybe you would like to watch the situation, not limit it in very details etc.
Best Answer
Setting up a proxy server inside China could turn out to be much trickier than you think...
ISP's are required to register all internet connected devices with the government and implement the government sanctioned block list. If you do manage to set up a proxy inside China that can bypass the block list, then it will technically be illegal. Setting up a proxy outside China that isn't blocked is a possibility, however there's no guarantee that it'll remain unblocked in the future. More info at Human Rights Watch...
The most legal / safe route would be to request your webapp be granted an exemption by the government, however I couldn't find an easy link to do this... you might try contacting the Chinese Ministry of Information Industry to see if they can point you in the right direction.
(I wish you luck though - the company I work for recently looked into doing business inside China, and it turned out to be horrendously complicated, even for a basic retail company)
The wikipedia page on PRC internet censorship also has a lot of good info and links.