The proxy server is probably the best solution (because iOS parental controls don't allow you to set a whitelist as far as I can tell). Be aware of one major caveat though: If you let people install apps from the app store they can and will find a way around your proxy restriction.
In order to make this work you will need to combine the proxy settings with iOS "parental control" restrictions to ensure that your users are not able to break out of the sandbox you're putting them in.
I was inclined to close this as Not Constructive because there's really no advice we can give you beyond "you seem to be doing it right" and what Zoredache has already said in his comment (find a provider that will let you do what you want in regards to running a proxy), but maybe someone will come up with a better solution than the proxy server.