So here's how I'm imagining the current solution, as implemented at the bank I worked at. Remember first off, there is no route to the Internet from workstations. Everything goes through a regular old HTTP proxy running on a server that accesses both the intra and Inter nets. You send it the host you want ("GET https://example.com/"), it fetches it and returns the HTML. It is nothing more complicated than:

socat tcp-listen:8080,reuseaddr,fork 'system:curl $(grep -m 1 GET | cut -d " " -f 2)'

with a little logging to put Nefarious Sites on your Permanent Record.

That argument is a non-starter. Surely somebody will build and market such solutions once TLS 1.3 becomes widely used.

The protocol must be finalized before enterprise-grade products can use it, not the other way around.