The "official" way to do this would be to build a filter atop the Windows Filtering Platform; it's designed for this sort of thing, and it's how Windows' own Parental Controls feature is built.
Having said that, you can build a Parental Controls application using FiddlerCore. You would then use Group Policy to control proxy settings (Create a REG_DWORD named ProxySettingsPerUser
with value 0
inside HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\
) such that the settings cannot be changed by non-administrative users.
You could further bolster this by applying Firewall policies such that direct egress is blocked and only traffic going through Fiddler is permitted to leave the box.