I agree with sirdice... when my organization rolled our setup out about a month ago we had to consider any device that is not allowed to send traffic directly to the internet has to be completely stopped at our firewall. If you do this then I don't care what kind of tool they use at their machine they're not getting out... No traffic generated from their machine can. They can maybe spoof their IP addresses, but that would require knowing the IP addresses that are allowed and then using one that is already used creating another kind of problem.

When I was presented the problem I said lets just stop the traffic at the firewall and not even stop them from changing their proxy. If they choose to mess it up for themselves let em, but that was quickly shot down. The two part solution works great though... stop them from changing their proxy, but if they manage to it doesn't matter because of firewall.