Thumb's Up to the above suggestion by Tony. If you really want to use SEP to do this though, then you can use Application and Device Control rules to block access to modify or change the proxy registry keys. The below articles should help:
http://www.symantec.com/docs/HOWTO100332
https://support.microsoft.com/en-us/kb/819961
While these are well and good, I'd highly recommend you review your FW configuration instead, as it sounds like it may not be configured as securely as it could be. As you have a proxy server through which all users should access the internet, then all user machine IP addresses would ideally be blocked at the Gateway from accessing the internet, with access only being possible via the Proxy. Obviously, some exceptions will crop up, but Security Best Practices are to only allow what is required for BAU, and nothing else (this would also negate the requirement for a GPO or SEP policy as the machines won't get internet access at all, unless using the proxy).