tested from clients site and locally
A client was concerned about gmail so I had them get the premium pack. I get it set up last week and they are reviewing it this week and they found a way into gmail.
google.com > sign in > https://accounts.google.com/ServiceL...ww.google.com/ > log in > click gmail off main google.com page > https://mail.google.com/mail/?tab=wm#inbox > my inbox, hmmm
Now I could go to the firewall and tell it to block the 5 IP addresses that resolve for that mail.google.com or gmail.com. That will work for maybe a week if I am lucky; my luck sucks.
I tried to block the accounts.google.com (google login page) and the mail.google.com/mail and a couple other variants of the url but no luck. I guess it is because the connection is initiated from the allowed site of google.com that it makes it past the web filter, beats me.