Controllerless Networks

Can you please explain the relationship between an Application/Web Access Control List applied to a role, and the separate Content Filter function?

The documentation for Firewall describes it as:

Instant supports the following types of ACLs:
ACLs that permit or deny traffic based on the source IP address of the packet.
ACLs that permit or deny traffic based on the source or destination IP address, and the source or
destination port number.
ACLs that permit or deny traffic based on network services, application, application categories, web
categories, and security ratings.

The documentation for Content Filter describes it as:

With content filter, you can achieve the following:
Allow all DNS requests to the non-corporate domains on a wireless or wired network to be sent to the OpenDNS server. 
When the OpenDNS credentials are configured, the Instant AP uses these credentials to access OpenDNS and provide enterprise-level content filtering.

Questions:

1. What will happen if both of these features are enabled? Is Aruba Instant Firewall's web categorization capability actually dependent on Content Filter being enabled?
2. If not dependent, then what will happen if both are enabled? Will one override the other?
3. What if I have no OpenDNS account configured, but Content Filter is enabled? Will it use the default OpenDNS service and still be able to resolve?
4. What is the source IP of client DNS requests received at OpenDNS? Client or AP or VC?

Did you ever figure out the answer to your questions? In our experience, network-based access rules for applications appear to work somewhat without having "content filter" turned on. For example, we were able to throttle the application category "streaming", but were not able to block web categories.