However, if there is any concern about either a Netflix server OR an ISP's cache being used to obtain illicit copies of the video, the solution is simple. This is a trivial problem to solve. Send and store the streams in encrypted form, passing a decryption key to the user via a separate, secured channel such as an HTTPS session. Then, it is not possible to obtain usable copies of the content by stealing either a Netflix server OR an ISP-owned cache. Problem solved.
That works for individual sessions, but not for the cache scenario. Either everyone gets the same key (which is equivalent to no key at all) or the cache has to be able to participate in the encryption. Beyond that small fly in the ointment, I believe Netflix current model operates pretty much as you suggest. However, their cache boxes have to participate actively in the encryption in order to avoid providing the same decryption key to everyone for any given show. I suspect (though I don't know) that encrypted content is loaded onto the cache in a form encrypted with a key known to the software on the cache. That each streaming request causes said content to be decrypted and immediately re-encrypted with a user-specific key and/or session-specific key and then sent to the user. Hence the requirement that the cache be on a box run by Netflix, and probably part of the reason for the greater power requirements. Owen