Two other possibilities for circumventing bad
caching proxies (beyond setting cache-control, etc headers) are to have sensitive pages
be https or to add a "sessionid" to the url (which will prevent cache hits since every url
would then be unique to the given session). I think
both of those will work no matter how broken your proxy is.
Also, even if the pages are cached you cannot carry out
any operation that does a permissions check since the
session_id in the cookie will be correct even if the page
presented to the browser is wrong.
