Q: Is there a straightforward mechanism that I can use to block Internet access from the Internet Explorer (IE) web browser on a set of important administrator machines in my Windows domain?
A: A simple way to block Internet access from a given Windows machine is to change the proxy address of the machine's IE web browser to an invalid proxy address. You can do this locally, or you can use a Group Policy Object (GPO) setting to centrally make this change.
Using a GPO setting to change the proxy address only works with IE. To do so, open the GPO Editor, navigate to User Configuration\Windows Settings\Internet Explorer Maintenance, and click Connection. Then double-click Proxy Settings, select Enable proxy settings, type 127.0.0.1 (the local network adaptor's loopback IP address) as the proxy address, and click OK.
Be aware that your administrators might also use other web browsers. You can easily change these browsers' proxy settings locally, but changing them centrally might be a bit trickier. A better way to completely lock Internet access is to configure specific user or machine account-based rules on the firewalls and proxies that are on the edge of your network.