Hi.
If I understand your problem in a proper way, you have to block all internet traffic for the workstations except of web browsing.
If so, you have to turn your workgroup network interface to High Security Level. All network services will be blocked in your PC, if not directly allowed by Rule.
After this you have to create Rule:
Description:WEB Browsing
Id:for example 1
Type:Allow
Direction:Both
Protocol :TCP
Destintaion Port :80
You can also specify different addresses for you needs.
You cam also must allow DNS:
Description:DNS
Id:for example 2
Type:Allow
Direction:Both
Protocol :UDP
Destintaion Port :53
Regards,
Andrew