Is it possible to create a template fragement to allow outbound traffic on port 80 to a specific host? Then the students would still be constrained to use DansGuardian for general web access, but the fat client application could talk to the specified host without obstruction...
I don't understand masq enough to be of much help. I'd start by searching /etc/init.d/masq for the lines affecting port 80, guess which one is causing my headache, and put a line above it to allow traffic on port 80 to the one off-site server. If that works, "just" find the template-fragment that creates the "DROP" rule and make a new fragment with your rule that starts with a slightly lower number, expand-template, etc, etc...