The following instructions are roughly how we configured a web filter for ~20 users on ~20 PCs, all running Windows XP.  Server hardware is 3Ghz Hyperthreaded  P4 Compaq desktop with 256Mb RAM.  Feel free to comment with any additional steps / requests for more details.

1. Ensure the filter hardware can automatically boot up following power interruptions.
2. Install Ubuntu Server (ery quick and easy to install, very minimal amount of software installed).  Ensure that a journalling filesystem is used as we can expect power interruptions, ensure that an encrypted filesystem is not used for the same reason - and also encryption laws vary by country.  The server needs a static ip address, either by linking mac address to ip on the dhcp server or actually manual
3. Install DansGuardian, Tinyproxy, Munin-node, Autossh, Randomize-Lines, Nullmailer from aptitude and download and install Webmin from webmin.com
4. Configure the above as documented elsewhere
   1. Setup ssh keys
   2. DansGuardian or Tinyproxy need a port number changing so that DansGuardian actually uses TinyProxy, and Tinyproxy needs configuring to listen on 127.0.0.1 only so that filtering cannot be bypassed easily.
   3. Munin-node, autossh and randomize-lines can be left unconfigured.
   4. Nullmailer needs configuring to use a suitable smtp server and to send mail to relevant person(s).  Do this by dpkg-reconfigure nullmailer.
   5. Webmin needs a slightly modified version of the official DansGuardian module ( dg-0.5.10-pr6.wbm) and a user creating which has only access to the Webmin module.
5. Configure your Munin server to monitor the filter, using Autossh on the fitler to create a reverse ssh tunnel because the filter may be behind a NAT router which cannot be configured (not that I'm bitter or anything).
6. Download Phraselist from http://contentfilter.futuragts.com/phraselists/
7. Download URL Blacklists from urlblacklist.com, noting that it is a commercial site and so only using their free one-time download.
8. Configure template to include a form for reporting incorrectly blocked sites.  This form should email people responsible for the filter, and optionally also use an email2twitter address so that admins can receive alerts on the go.
9. Download URL Blacklists from ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/ noting that it is not a commercial site, that they have far more adult sites and whitelisted sites and use this as a regularly updated source.
10. Configure each PC to use the proxy, to use Windows Update correctly, and uninstall MSN Messenger.  This can be done through login/startup scripts and a Samba Domain, or from scripts on a USB memory stick and manually.  Take a look at  proxy.zip for an idea of this.  It is also helpful to have winscp and putty on this memory stick, since we have banned downloads of exe files.  You may also want OpenOffice, PDF readers and writers and other useful tools available for installation.  In an ideal world, this step would be replaced by configuring the router to route http traffic via the filter and leaving the OLPC machines untouched
11. Allow the download of .doc files and .xls files from within Dansguardian config files.
12. Talk to the teachers about what exact sites should be blocked to ensure any local specialities are covered
13. Configure the server to use the OpenDNS DNS servers, enabling reporting and filtering.  Add phrases from the OpenDNS Guide and Block pages to the bannedphrases file so that they don't get used (some fancy modifications of the template could be done here at a later stage).
14. Test everything.  A good site to test with is playboy.com, it's banned by urlblacklists, OpenDNS and phraselists and is actually quite innocuous compared to many adult sites.
15. Add/remove things from the filters as and when discovered, it is helpful to not edit anything within the blacklists directory since these will be modified by scripts.  Instead, edit grey/exception lists and banned lists.
16. After running for a week, configure a password-protected filter bypass.  This will be documented later, but essentially is based upon http://contentfilter.futuragts.com/wiki/index.php?title=Bypass_Hash_Usage

/etc/cron.weekly/updatebl:
#!/bin/bash
###
# Don't allow undefined variables.
set -u
export BL_URL=${BL_URL:="ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz"}
export DB_PATH=${DB_PATH:="/etc/dansguardian/blacklists"}
export HOME_DIR="/tmp"
export SG_UGID=${SG_UGID:="root:root"}
export DG_PATH=${DG_PATH:="/usr/sbin"}
export UNCOMP_CMD="/bin/gunzip"
export UNTAR_DIR="blacklists"
export VERS="0.9.2"
# Create a few working variables.
export BL_TAR_BASE="blacklists.tar.gz"
export BL_TAR_FULL="${HOME_DIR}/${BL_TAR_BASE}"
export TMP_DIR="/tmp/blacklists"
export http_proxy="127.0.0.1:3128"
if [ ! -d "${TMP_DIR}" ]
then
if [ -e "${TMP_DIR}" ]
then
echo "ERROR: ${TMP_DIR} already exists, but isn't a directory;"
echo "       aborting Blacklist refresh."
exit 1
fi
mkdir "${TMP_DIR}"
fi
cd "${TMP_DIR}"
if [ "$?" != "0" ]
then
echo "ERROR: unable to cd into working directory,"
echo "       ${TMP_DIR}"
exit 1
else
if [ -f "${BL_TAR_FULL}" ]
then
rm -f "${BL_TAR_FULL}"
fi
if [ -f "./${BL_TAR_BASE}" ]
then
# Removing old ${BL_TAR_BASE}.
rm -f "./${BL_TAR_BASE}"
fi
# Running wget to retrieve new lists.
wget -q -Y on "${BL_URL}" -O blacklists.tar.gz
if [ "$?" != "0" ]
then
echo "ERROR: unable to retrieve new lists,"
echo "       aborting blacklist refresh."
exit 1
else
# Succesfully retrieved new lists.
# Untaring Blacklist archive.
gunzip blacklists.tar.gz
tar -xf blacklists.tar
if [ "$?" != "0" ]
then
echo "ERROR: unable to extract new lists,"
echo "       aborting blacklist refresh."
exit 1
else
# Moving new lists into place.
for i in "${UNTAR_DIR}"/*
do
export ib="`basename ${i}`"
if [ -d "${DB_PATH}/${ib}" ]
then
rm -rf "${DB_PATH}/${ib}"
fi
mv "${UNTAR_DIR}/${ib}" "${DB_PATH}"
done
# Remove temporary files and folders.
cd /tmp
rm -rf /tmp/blacklists
# Change owner and permissions.
chown -R "${SG_UGID}" "${DB_PATH}"
chmod -R 755 "${DB_PATH}"
# Randomising lists and restarting Dansguardian.
cd /etc/dansguardian/blacklists ; find . -type f -exec rl '{}' -o '{}'.tmp ; -exec mv -f '{}'.tmp '{}' ;
/etc/init.d/dansguardian restart >/dev/null 2>&1
# Finished Blacklist update.
exit 0
####
#### If everything went well, we exited here.
####
fi
fi
fi