If a filter is set up to not just block access to but also flag based on something as trivial to embed as a URL one would hope the technology would be a little bit more involved than a single hit on a .ico file for a flag.
A web filter / proxy does not have any way to tell whether any individual HTTP request was requested as a result of HTML embedding, bookmarking, user entry or clicking on a link.
If your position is that monitoring HTTP traffic is useless because favicons can be embedded into webpages, what method would you propose to monitor employees browsing habits then?
Furthermore, how would you monitor the HTTP traffic of suspected terrorists? After all, anyone can embed an image to "www.isis.com/blackflag.jpg" into any webpage, so shouldn't we stop monitoring all such traffic?
Your original assertion was that "it's a pretty crappy check", but I think what you are missing here is that it's the only possible check, minor irrelevant flaws and all.
No, it isn't the only possible check, but besides that the 'HTTP traffic of suspected terrorists' will be nicely encrypted in a way that you won't be able to intercept the URLS.
Lots of fearmongering here, if you want to monitor your employees browsing behavior then you're going to have to supply them with the hardware they do the browsing on, lock that hardware down and install some nannyware to do the monitoring. That way you won't have to MITM each and every connection and you'll have a more secure setup overall.
What would you propose instead?