For those of you who used a "--skip-broken" update with ClearOS Core, you may be stuck in limbo with two different xorg builds. It's easiest to re-install the graphical console tool and Xorg in this scenario:
Hi, I have to agree with Tony, I doubt it is your config (unless you have changed it from the default)...I didn't read through yours. I have some 150 users connected through our COS 6.5 for normal web browsing, and have never seen the waiting for proxy tunnel message you describe.
I suspect you could have one or more instances of P2P or torrent software - for example I believe that some services like skype attempt to process third party connections in the background, it is possible that if you have 100 clients trying to do this then your proxy will struggle.
Could you try with a single PC for a few hours - I'm almost certain you won't get the message. If your okay with wire shark, and can set it up on a router with a port duplicator so you can see traffic intended for the proxy IP, I think you would be able to identify if there were PC's sending an unusually high traffic volume.
I have also found that most of the play store works through the proxy set up the same way, but as soon as you come to download an app it doesn't want to know. Using the 'sledge hammer to crack a nut' approach I put the Phone's IP into the proxy bypass, and then removed the proxy values from the phone's wifi settings. Apps installed fine. I appreciate that this may not be entirely suitable if your aim is to restrict your daughter's web viewing, but you can always put the proxy back once the app is installed. I'm sure there will be away to identify the play store urls or IPs that need adding, and I guess this will be on Google somewhere.
to get your user working short term, I would either set a static IP on their workstation and add the IP to the filter exempt list, or set the url as a proxy bypass and configure the users local browser to add that url as "don't use proxy for".