The simplest implementation of this would be to block all outbound traffic for all hosts by default, and allow only web traffic out through a proxy. Then for other specific services poke holes for specific src<->dst.