Would be good if you can add content filter into the infra. E.g. bluecoat (they have a free agent called k9) and lockdown the user client proxy setting (assuming they are only user and has no admin privilege, shd not grant them anyway).
You can also check out my answer in ID: 23295100, on the use of proxy.pac or wpad (but that also need user mode to restrict unauthorised changes)
@
http://www.experts-exchange.com/Networking/Security/Q_24024960.html