If I understand your problem in a proper way, you have to block all internet traffic for the workstations except of web browsing.
If so, you have to turn your workgroup network interface to High Security Level. All network services will be blocked in your PC, if not directly allowed by Rule.
After this you have to create Rule:
Id:for example 1
Destintaion Port :80
You can also specify different addresses for you needs.
You cam also must allow DNS:
Id:for example 2
Destintaion Port :53