I've hit this with Academia lots of times in the UK. Proxies (i.e. REAL proxies, looking for proxy traffic are a pain in the !*£#).
One thing we've done a couple of times is as follows...
As CJ suggests, create another VLAN for starters, and associate this service with that VLAN. On the TMG, add a new interface (with IP address/subnet). If it's a REAL server, this depends on you having another NIC. If it's a ESXi or similar, the host normally has spare NICs in my experience. Make the TMG the default gateway on the VLAN, and enable the policies on the TMG to route traffic in from that new NIC IP/subnet (and NOT auth it), and apply content control as liked. But, keep the interface configuration set so it doesn't NEED to see proxy traffic, just NORMAL HTTP/HTTPS. Then it's just a case of applying the firewall roles on your controller for this service as you like, and supplying DHCP somewhere. Oh, the TMG will probably need to NAT too.
I don't pretend to have a full "guide" for how to do the TMG part. Normally, a Microsoft knowledgable customer can get this done. Either that, or have a look around Technet/Google?
Just a thought...