The other option could be to set a bogus proxy in there, with everything listed as an internal exception. That would let them get to the intranet, but not out through the proxy server.