This may happen when one side of the session closes the connection before a rule can be found in your access control list. It happens very fast, maybe like this:
client -> server
Before it can even go through all your rules and match one OR hit the Deny All rule the session has already ended, so it says <deny no rule>.
It may also happen if you try to browse transparently through a non-transparent HTTP rule.
My colleague took a look at this in my absence earlier this morning and seemed to pinpoint that the destination addresses in these audit records all seemed to belong to domains owned by Google. We're wondering if the users in question are either using Google Chrome or a Google Toolbar of sorts.
Anyway, the customer has been informed and has gone away to check.