The way I accomplished this was by double-redirecting, i.e. forcing all URLs (except for things which would be included/in-lined e.g. images, scripts, and style-sheets) to HTTP unless they were explicitly forced to HTTPS. The force to HTTPS is done with a filter registered to whatever nodes you specified in the RestrictToHttps parameter, so I modified the filter to mark ad_conn if it passed without redirecting and then added a second filter registered to all URLs, with a later priority to redirect all HTTPS connections not previously marked to HTTP. To exclude images and the like from redirection, I added a third filter for all relevant extensions (gif, jpeg, css, js, etc.) which marked ad_conn, and gave it a priority between the other two filters. One unfortunate thing is that image loading is slower on HTTPS pages due to encryption, but you could speed that up by explicitly calling HTTP
E-mail me if you'd like to see the actual code.
