I have a terminal server environment and for certain groups of users (set up in an OU) I want to restrict all external internet browsing but allow intranet access.  Can this be done via Active Directory / Group Policy?

* In GPO set the internet explorer proxy settings to 0.0.0.0. This will stop all external websites but allow internal.

OR

The IE URL Lock Browser Helper Object prevents users from navigating to web sites in Internet Explorer and Windows Explorer while permitting URLs that match a Perl-compatible regular expression stored in a registry list.

You can download the tool from the below link:

www.Moonlightdesing.org