Just put an access-list on the inside leg of the pix with something like :
access-list xxx permit tcp host <citrix server> host 199.81.196.121 eq 80
access-list xxx deny tcp host <citrix server> any eq 80
access-list xxx permit ip any any
access-group xxx in interface inside
This will enable the citrix server to browse
and no other site, while maintaining ip access to the rest of the services on the internet.
If you don't wan't the citrix server to access anything on the net other than
on port 80 you could put in
access-list xxx deny ip host <citrix> any
after the first permit statement
Just remember that if fedex.com changes their ip, you have some managment work. Maybe URL filtering via websense or some other n2h2 server would be advisable.
Jan