Firewalled! -
We first started with a Host rule that defines all our internal DNS aliases, and internal proxy server hosts.
The list was about 24 items.
Next we use a two part fire wall rule,

a. The allow rule, we  defined the browsers by name.exe only, we wanted to trap on name.exe only here. 
Next we set the host rule active to filter incoming traffic only - if the browser is not recieving Tx from a defined host  or dns found in this host rule it fail to the next rule.

b. This is the block rule, uses "*" for the application name and Application hashes of all of the browsers version found internaly - about 34 items uniques.
This alowed us to not only stop Webproxy sites, Botnets, and forced machines to use our internal proxy, it also blocks browser that the users had renamed to avoid AD policy- it also works with our remote laptops, because we have an outfacing proxy portal, so even if the user is offline and surfing, it is managed and control via our corp proxy.  I know We'r Cool, Got the right stuff..thank you thank you..

1. 1x host rule
2. 2x application rules , name.exe and "*" - hash
3. 2x firewall rules, a general alow for internal dns and proxy host, and a block all rule for the same applications.
4. you must have a working DNS infrastructure at your company to do this and internal proxy server. this technique can be use with simpler nework implementations by using Ip ranges and hosts names only.

This is just a overview of what my team accomplished, the purpose was to save money, no new harware or software needed to do the same function.