the normal way to control access is to use a proxy
you configure the gateway router to forward 'controlled ports' to the proxy server
and to only accept from the same; eg (80,443=http, 25,110,143=email)
this will cause clients to not have internet access
(it could also be used to control access to internal departmental servers).
Then you instal the proxy server and use the Domain Controller to reconfigure client
browsers to use your proxy
Now all access flows thru it and you can properly control all domain access
as well as specific protocol usage, eg Torrents and Streamed Video.