blocking ports won't work. Only default deny. Install a squid box and deny all outgoing traffic except the squid box. Point browsers at squid. Turn on packet mangling so nothing works but http traffic.
Set up a whitelist of web sites they can see. Allow
www.google.com. As people complain add the sites they need to see. At first it will be hell, but all of your talky problems will be gone forever.
Set up an approval process. Supply a form on the intranet. If someone needs to get to a site, they fill out form, their boss signs off on it, and forwards to you. Gradually you'll have a whitelist of nothing but work related sites.
No one will be fired for looking at porno again because they can't any more.
This way you know who is looking at what, why, and if some VP says "Why is this site in there?" You can pull the form and give a copy to the vp so they can go ask the manager themselves. This will solve a lot of problems in one fell swoop.
People will bitch and moan but they'll get over it.
Just tell management that it will be hell for a little while but their network will be under control. IMHO this is how you deal with the "power users" that like to exploit your network.
This will keep them from getting dialers from porno sites, shareware trojans, music pirating, etc etc etc. It will solve a crapload of problems related to unauthorized outgoing connections for you.
It won't make you the most popular person in the office but you and your boss will look great to the people that hand out raises XD and your bandwidth usage will drop by 90%.
Special needs people will have a different form to fill out where they authorize you to open a port for their box. If they abuse it, it's their ass.
default allow just doesn't work, neither does just trying to block "bad stuff". It's an endless race against your users. You need to block everything but the "good stuff" and have a document for every site people are accessing. Draconian but very very effective.
-Viz