ok, so are you looking for a central solution? a solution that is on each machine that the browser is using? If you are using a centralised point of internet access then again i'd refer back to ipcop, with the advproxy addon http://www.advproxy.net
. you could also deploy this in each location, but it would require a seperate machine on each site (unless you ran a vmware instance on the single machine which is feasible but not what you really wanti'm sure) which, if it's only serving one machine anyway seems odd at best.
Now, outside of this i am not sure how you would achieve user based authentication to restrict access to certain sites iwth no additional machine. you can certainly run squid and authenticate on it when you are telling a browser to go directly to a proxy, but what's stopping a user disabling that proxy and just going direct to the internet? an iptables rule can intercept port 80 requests, but those requests will come from squid too anyway.... I'm\ rambling now, probably worth ignoring all that.
OK, so what if you don't want squid... could you not simply restrict the visible UI of the browser they are given to use? if they can only go to a homepage which is a menu, and have no access to other parts of the browser then would that be all you'd want as an assurance they can not go elsewhere? i'm sure there will be firefox extensions for this for example.