as the shortened URL only redirect the browser to a new location, WebGateway will check both URLs against the configured rules. So it's likely that the shortened URL is not listed, as there can be hundreds of shortened URLs pointing to one URL, and it's enough to block/categorize the final URL.
That's a good point. However, the decision to block all shortened URL's is on the basis that we want stricter filtering for the final destinations on shortened URL's. That is, we would want only the most trusted destinations to be allowed by way of a shortened (obfuscated) URL, and definitely not unverified destinations.
Note that a user is welcome to manually expand a shortened URL. Hopefully, they'll know better than to go to getinfectedhere.ru.
What our policy means is that if we allowed shortened URL's we would want to scrutinize the shortened URL at the time of the request for the shortened URL.
Note that doing this with a referrer would not satisfy what our policy makers regard as healthy security paranoia. Back to the point about a training page: imagine if a user was prompted with: "That URL resolves to getinfectedhere.ru, which is unverified and located in Russia. Are you really sure you want to go there?" (Of course, blocking by geo-location is also possible, but there's plenty of CDN content for U.S service that is hosted outside the U.S.) So, this is really a discussion about improving capabilities. And, it seems appropriate to compare the advantages of what is currently possible to what could be done beyond what is currently available.