there are a couple of anvantages for each I think.
If you leave certificate verification in place MWG will verify that the certificate is OK, not expired, not self-signed, not signed by a bad certificate authority, etc. This is generally a check you want for security reasons, even for banking sites it may be beneficial to have an additional layer of security and a "second opinion" on the certificate.
If the certificate is "suspicious" the access will be denied and the user has no chance at all to overcome this block. If you completely whitelist SSL Scanner the user will notice a warning that something is wrong with the certificate, but it is up to him to decide whether the certificate is trustworthy or not.
Another fact to keep in mind is that enabline certificate verification will prevent users from accessing a website if MWG does not now the certificate authority. This may happen for CAs that are not known, but CAs are updated frequently and in case you find a CA the subscribed list is updated in a short period of time.
For me this is a question of how "skilled" your users are. I know that we have customers with users that are technically expertised and/or trained - they would become nervous when they notice that the browser shows a warning about an expired certificate and won't continue their doings. But I also know we have customers with users who would continue doing online banking, even if the certificate is suspicous.
So the question is: Do you want to leave this decision to your users?
In my opinion I would leave Certificate Verification in place. It won't hurt as long as all is good with the certificates and usually Banks are very sensitive in regards to their certificates. If a banking web site uses a certificate that MWG would block, there might be a reason for it. I definitely would stop my users from going there and have a look by myself or some IT helpdesk before letting them proceed.
Privacy is not an issue as long as you keep content inspection disabled due to whitelisting. The original certificate will be used to encrypt the connection, there is no way for MWG to look inside.
Thanks Andre for your detailed response. Especially the fact that there is no privacy issue when doing certificate checks while disabling content inspection is the key information I was looking for.
So in that scenario, could I describe it as "Connection is being tunneled, not decrypted, but certificate are checked"?
That is an accurate description. Only if content inspection is used will the connection be decrypted.