The five options for terminal services mode (Negotiate Kerberos/NTLM, Kerberos, NTLM Authentication, NTLM Identification and Proxy authentication) are meant to be used in situations where multiple users are browsing from one IP address. The terminal services methods authenticates and identifies every request, rather than just every new session.
When multiple users are browsing from the same IP address, the web filter can't assume that every request from the same IP address originates from the same user. Every request has to be identified to track user activity accurately in those circumstances.
For terminal services users, Microsoft direct access users and other situations where multiple users are seen as browsing from the same IP address, you could use a suitable terminal services mode option but consider using the iDex client roll out to clients in those circumstances. The iDex Client identifies users automatically on every single request and doesn't have any compatibility issues with software that might not be capable of answering a proxy authentication request using Kerberos or NTLM.