Hi John
The task you're going to tackle is a bit confusing
See, the owner wanna forbid download, but allow browsing. The thing is, download is sometimes done using HTTP protocol. This is exactly the same protocol you use for browsing. So, you see the trouble, right?
But, at least you prevent the "other protocol" to get into action like FTP, bitTorrent etc. So, maybe the idea is putting something like these iptables rules in the internet cafe gateway/firewall/proxy:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -j REJECT
Those rules above means just allow connection to port 80 (HTTP), then drop the rest. Of course, you need to adjust it according to your real situation i.e adjust on which interface that faces the WAN and which one faces the LAN etc
Hope it helps...