Maybe specify an invalid proxy server on all the machines. Then add the domains they CAN go to, to the bypass proxy list. I believe this can all be done via registry keys and/or Policies.