In the SBU, it was possible to repair a computer with confidential data: any external communications were disabled, floppy disks / CDs / flash drives were disabled / blocked. on the machine itself there is some special software package blocking "everything and everything" ... there is a jammer of certain frequencies by the window. In your case, I think it is enough for this machine to deny access to the Internet, or to make access according to the "white" list, if you still need to climb somewhere for work. Drive mail only through your server with the preservation of all outgoing, sometimes see if the employee has sent anything prohibited. If sent, then punished already under a signed employment contract. Naturally, the employee must be familiar with the fact that everything is controlled, so that there is not even a desire to take risks.

Useless idea, because the vulnerability is not at the level of the HTTP protocol, but at the level of the layer between the chair and the monitor)

it should not be banned on a proxy, for example, x-type file
, and in general on a computer with confidential Internet data,
because proxies, tors and social networks with webmail are to hell

Raise the terminal and put the browser in RemoteApp. The user is provided with such a browser, file exchange with the terminal server is disabled. Google has a GPO set that is not applied to the server. Well, actually everything. It works quite tolerably, however, with a large number of users, the server must be with a large number of RAM. if you need to download files from the Internet - it is solved by a network ball with access rights. crutch, rude, but copes with the task :)

Well, not exactly crutch. There are a number of advantages here as well.
If a virus is caught due to a vulnerability in a flash or browser, then only the terminal will catch it. Moving the rapp server to an isolated zone will guarantee the safety of your network. Yes, and restoring a browser-machine from a backup is a matter of several manipulations. With the search and removal of malware, too. Computers of users will work faster, because one hundred tabs will open not on their own computer.
Access to files is transparent: through GPO we transfer the Documents, Downloads (any other) folder to the server. When connected, the user on the rapp server will see exactly his folder with documents, respectively, everything that he downloaded will be on his computer too.