2) not sure which functionality is lost, but the authentication is handled differently, see the following post for more info https://community.mcafee.com/message/164417#164417
3) there is a cloud-based filtering solution that McAfee offers, but if I'm not mistaken you would either use their McAfee Proxy Agent or point to it via a proxy.pac file
The cloud service is limited in its capability compared to what the actual Web Gateway solution can do. If you were to go the cloud route, I would strongly recommend using the McAfee Client Proxy agent to ease authentication to the service.
We are using MWG appliances on premise and the SaaS solution for clients when they are off network. The McAfee Client Proxy determines if the machine is on or off network, and directs the client to a service accordingly. When on network, we have the client go to sleep and it uses our standard proxy.pac. If off network, the MCP re-directs the web based traffic to the cloud service and handles all the authentication so the user / browser doesn't have to worry about the proxy authentication in the cloud.