that's a tough question - maximum security with minimal restriction.
What first comes to mind is that you should probably rethink the workflows in your org to. Do developers need to download tools? If yes can you put these tool on to a central internal server where your folks can get them from? Does every developer really need to download the latest eclipse SDK individually for example?
If your people need to test their tools with external server, you might want to exempt test lab networks.
You also might want to review the policy worst case and create policies that would just block explicit content and allow a broader access.
You could work with coaching as well and tell people that, while generally prohibited, they can access the resource if business reasons force them to.
You could think about only scanning downloads of certain sizes
There is really no gold answer to your question - sorry!