I am running ISA server 2000 at my office along with Websense. I have used both websense and surf control and I think both make a good product. I did have two problems with surf control - 1.) Users were not identified transparently in all circumstances. To ensure rules were enforced, I ended up entering IPs of the machines. 2.) Surf Control would stop the firewall service every 20 days or so.
The primary reasons we went with websense was to cut down on employee surf time and reduce spyware threats. During the evaluation period while websense was deactivated, web browsing increased 1200%. Crazy. As to spyware, I was spending hours removing spyware each month. I used GPs to deactivate the installer, removed local admin rights from users, and disabled all music, video, compressed, and executable file type downloads. Additionally, I filtered out P2P sharing, IM, IRC... you name it, it's gone. If a user were so inclined to use SSH tunneled over port 443, I can easily see the pattern from websense reporting capabilities and block that site.
Lastly, as to cost... it's just not an issue. For websense enterprise, along with 3 premium groups, cost was $36 / user annually. Thats nothing compared to the billable time of removing the spyware. Not to mention increased productivity of employees. Just my $0.25 worth...